Validate filters
Just a hint I tested,
You can obtain all the chars <32 (so newline and c.return), by using not operator > !FILTER_FLAG_STRIP_LOW as the last argument.
Example:
filter_input(INPUT_GET,'test',FILTER_SANITIZE_STRING,!FILTER_FLAG_STRIP_LOW);
The filter keeps working as before removing anything else as before apart from FILTER_FLAG_STRIP_LOW.
Just filter those "bad" chars <32 manually you don't want.
Sanitize filters
| ID | Name | Options | Flags | Description |
|---|---|---|---|---|
FILTER_SANITIZE_EMAIL |
"email" | Remove all characters except letters, digits and !#$%&'*+-/=?^_`{|}~@.[]. | ||
FILTER_SANITIZE_ENCODED |
"encoded" |
FILTER_FLAG_STRIP_LOW,
FILTER_FLAG_STRIP_HIGH,
FILTER_FLAG_ENCODE_LOW,
FILTER_FLAG_ENCODE_HIGH
|
URL-encode string, optionally strip or encode special characters. | |
FILTER_SANITIZE_MAGIC_QUOTES |
"magic_quotes" | Apply addslashes(). | ||
FILTER_SANITIZE_NUMBER_FLOAT |
"number_float" |
FILTER_FLAG_ALLOW_FRACTION,
FILTER_FLAG_ALLOW_THOUSAND,
FILTER_FLAG_ALLOW_SCIENTIFIC
|
Remove all characters except digits, +- and optionally .,eE. | |
FILTER_SANITIZE_NUMBER_INT |
"number_int" | Remove all characters except digits, plus and minus sign. | ||
FILTER_SANITIZE_SPECIAL_CHARS |
"special_chars" |
FILTER_FLAG_STRIP_LOW,
FILTER_FLAG_STRIP_HIGH,
FILTER_FLAG_ENCODE_HIGH
|
HTML-escape '"<>& and characters with ASCII value less than 32, optionally strip or encode other special characters. | |
FILTER_SANITIZE_FULL_SPECIAL_CHARS |
"full_special_chars" |
FILTER_FLAG_NO_ENCODE_QUOTES,
|
Equivalent to calling htmlspecialchars() with ENT_QUOTES set. Encoding quotes can
be disabled by setting FILTER_FLAG_NO_ENCODE_QUOTES. Like htmlspecialchars(), this
filter is aware of the default_charset and if a sequence of bytes is detected that
makes up an invalid character in the current character set then the entire string is rejected resulting in a 0-length string.
When using this filter as a default filter, see the warning below about setting the default flags to 0.
|
|
FILTER_SANITIZE_STRING |
"string" |
FILTER_FLAG_NO_ENCODE_QUOTES,
FILTER_FLAG_STRIP_LOW,
FILTER_FLAG_STRIP_HIGH,
FILTER_FLAG_ENCODE_LOW,
FILTER_FLAG_ENCODE_HIGH,
FILTER_FLAG_ENCODE_AMP
|
Strip tags, optionally strip or encode special characters. | |
FILTER_SANITIZE_STRIPPED |
"stripped" | Alias of "string" filter. | ||
FILTER_SANITIZE_URL |
"url" | Remove all characters except letters, digits and $-_.+!*'(),{}|\\^~[]`<>#%";/?:@&=. | ||
FILTER_UNSAFE_RAW |
"unsafe_raw" |
FILTER_FLAG_STRIP_LOW,
FILTER_FLAG_STRIP_HIGH,
FILTER_FLAG_ENCODE_LOW,
FILTER_FLAG_ENCODE_HIGH,
FILTER_FLAG_ENCODE_AMP
|
Do nothing, optionally strip or encode special characters. |
Warning
When using one of these filters as a default filter either through your ini file
or through your web server's configuration, the default flags is set to
FILTER_FLAG_NO_ENCODE_QUOTES. You need to explicitly set
filter.default_flags to 0 to have quotes encoded by default. Like this:
Example #1 Configuring the default filter to act like htmlspecialchars
filter.default = full_special_chars
filter.default_flags = 0
add a note
User Contributed Notes
Sanitize filters
scamber256 at hotmail dot de
06-Aug-2011 02:37
Dmitry Snytkine
11-Apr-2011 04:17
Beware that FILTER_FLAG_STRIP_LOW strips NEWLINE and TAG and CARRIAGE RETURN chars. If you have a form that accepts user input in plaintext format, all the submitted text will lose all the line breaks, making it appear all on one line. This basically renders this filter useless for parsing user-submitted text, even in plain text.
marcus at synchromedia dot co dot uk
27-Nov-2009 01:07
It's not entirely clear what the LOW and HIGH ranges are. LOW is characters below 32, HIGH is those above 127, i.e. outside the ASCII range.
<?php
$a = "\tcafé\n";
//This will remove the tab and the line break
echo filter_var($a, FILTER_SANITIZE_STRING, FILTER_FLAG_STRIP_LOW);
//This will remove the é.
echo filter_var($a, FILTER_SANITIZE_STRING, FILTER_FLAG_STRIP_HIGH);
?>