I have a form with a lot of variables which is then sending an email, rather than sanitizing each $_POST
value with filter_var($_POST['var'], FILTER_SANITIZE_STRING);
I was after a more simple piece of code. I came up with the below, which seems to work as I believe the default action is FILTER_SANITIZE_STRING
, but I was just wondering what peoples opinions are, and if this is not good practice, perhaps you could tell me why? The $_POST
values are then individually embedded into new variables, so I would only be using array_map just at the start to sanitize everything...
$_POST = array_map('filter_var', $_POST);
Thank you for your replies, to give you a little more information, basically:
I have 20-30 input fields in a form which are being captured, the data is then displayed to the user to check their input, variables are then sanitized, the user is then sent an email and then finally the details are entered into a db.
currently I am sanitizing using the above array_map function, as well as FILTER_SANITIZE_EMAIL on the email address before sending an email and then escaping the input using mysql_real_escape_string() before the insert into the db. Without getting into prepared statements etc.. do you think I should be doing anything additionally? thanks again!
If the type of each of your input variables is a string and you want to sanitize them all at once, you can use:
// prevent XSS
$_GET = filter_input_array(INPUT_GET, FILTER_SANITIZE_STRING);
$_POST = filter_input_array(INPUT_POST, FILTER_SANITIZE_STRING);
This will sanitize your $_GET and $_POST arrays.
Seen here: PHP -Sanitize values of a array