Constant FILTER_SANITIZE_STRING is deprecated
This filter had an unclear purpose. It's difficult to say what exactly it was meant to accomplish or when it should be used. It was also confused with the default string filter, due to its name, when in reality the default string filter is called FILTER_UNSAFE_RAW
. The PHP community decided that the usage of this filter should not be supported anymore.
The behaviour of this filter was very unintuitive. It removed everything between <
and the end of the string or until the next >
. It also removed all NUL
bytes. Finally, it encoded '
and "
into their HTML entities.
If you want to replace it, you have a couple of options:
Use the default string filter
FILTER_UNSAFE_RAW
that doesn't do any filtering. This should be used if you had no idea about the behaviour ofFILTER_SANITIZE_STRING
and you just want to use a default filter that will give you the string value.If you used this filter to protect against XSS vulnerabilities, then replace its usage with
htmlspecialchars()
. Don't call this function on the input data. To protect against XSS you need to encode the output!If you knew exactly what that filter does and you want to create a polyfill, you can do that easily with regex.
function filter_string_polyfill(string $string): string
{
$str = preg_replace('/\x00|<[^>]*>?/', '', $string);
return str_replace(["'", '"'], [''', '"'], $str);
}
Don’t try to sanitize input. Escape output.
Why does FILTER_SANITIZE_STRING remove part of the SQL string?
You are explicitely removing all strings between <
and >
when you pass it through your filter. As to why you are doing this and expect different results, I am unsure.
public function SetSQL($sql) {
$this->sql = filter_var($sql, FILTER_SANITIZE_STRING, FILTER_FLAG_NO_ENCODE_QUOTES);
}
Maybe you are confused about the name of FILTER_SANITIZE_STRING
. This filter removes all substrings between <
and >
(or the end of the whole string) including the brackets. It doesn't encode quotes as you have disabled that with a flag.
To fix this, simply remove that filter altogether. This will do what you want:
public function SetSQL($sql) {
$this->sql = $sql;
}
By the way, constant FILTER_SANITIZE_STRING is deprecated. Please stop using it.
Failed to run php spark serve, can anyone solve the problem?
You're using a PHP version that is too new for the codeigniter version you installed.
If you're using PHP 8.1 you need at least codeigniter 4.1.7
Solutions:
- Option1: Downgrade PHP
- Option2: Upgrade Codeigniter
Reference: https://codeigniter.com/user_guide/changelogs/v4.1.7.html
Related Topics
How to Get Random Value Out of an Array
How to Remove Array Element and Then Re-index Array
PHP MySQLi Prevent SQL Injection
Is It Safe to Trust $_Server['Remote_Addr']
Header Only Retrieval in PHP Via Curl
Is PHP Compiled or Interpreted
Dollar ($) Sign in Password String Treated as Variable
How to Debug Pdo Database Queries
PHP List All Files in Directory
Display Numbers With Ordinal Suffix in PHP
PHP Explode the String, But Treat Words in Quotes as a Single Word
PHP: How to Remove Specific Element from an Array
Simple PHP Strpos Function Not Working, Why
PHP _Get and _Set Magic Methods