You need to sanitize your string before you insert them into your databases. We show you how to do that in this lesson with "FILTER_SANITIZE_STRING", "FILTER_SANITIZE_EMAIL" and "FILTER_FLAG_STRIP_HIGH". We use jQuery and AJAX to pass the variables to the processor. This lesson is a continuation of the last lesson Create Secure Password Sign Up Script With PHP jQuery and AJAX.
Resources for Sanitizing a String in PHP
There are several different ways of sanitizing a string before you insert it into your database. Here are a few.- FILTER_SANITIZE_EMAIL This will create a filter for email addresses. In the video tutorial I put a flag on this sanitize function but that is not necessary. I corrected it in the code below.
- FILTER_SANITIZE_ENCODED This will encode a URL string.
- FILTER_SANITIZE_MAGIC_QUOTES This will use the addslashes() PHP function to escape quotes.
- FILTER_SANITIZE_STRING This will strip tags and encode special characters.
mysqli_real_escape_string
We also use mysqli_real_escape_string to sanitize strings when inserting into our database. This will escape special characters in a string to use in mysql.This function is used to create a legal SQL string that you can use in an SQL statement. The given string is encoded to an escaped SQL string, taking into account the current character set of the connection. Scripts for this tutorial located here.
Scripts for Sanitizing Strings
Create a file and call it index.php and insert the following code or download it here.<!DOCTYPE html> <html> <head> <title>SANITIZE STRINGS BEFORE INSERTING INTO DATABASE PHP MYSQL AJAX JQUERY </title> <script src="http://ajax.googleapis.com/ajax/libs/jquery/1.11.0/jquery.min.js"></script> </head> <body> <input id="name" type="text" placeholder="Username"> <input id="email" type="text" placeholder="Email"> <input id="pass" type="password" placeholder="Password"> <input id="submit" type="button" value="Submit"> <div id="display"></div> <script> $(document).ready(function(){ $("#submit").click(function(){ var name = $("#name").val(); var email = $("#email").val(); var pass = $("#pass").val() var dataString = 'name1='+ name + '&email1='+ email+ '&pass1='+ pass; if(name==''||email==''||pass=='') { $("#display").html("Please Fill All Fields"); } else { $.ajax({ type: "POST", url: "processor.php", data: dataString, cache: false, success: function(result){ $("#display").html(result); } }); } return false; }); }); </script> </body> </html>Now create a script and call it processor.php and insert the following code. Optionally you can download it here.
<?php include_once('config.php'); $name=mysqli_real_escape_string($con, $_POST['name1']); $nameclean = filter_var($name, FILTER_SANITIZE_STRING, FILTER_FLAG_STRIP_HIGH); $email=mysqli_real_escape_string($con, $_POST['email1']); $emailclean = filter_var($email, FILTER_SANITIZE_EMAIL, FILTER_FLAG_STRIP_HIGH); $pass=mysqli_real_escape_string($con, $_POST['pass1']); $passclean = filter_var($pass, FILTER_SANITIZE_STRING, FILTER_FLAG_STRIP_HIGH); $hash=sha1(md5($passclean)); mysqli_query($con,"INSERT INTO users(`username`, `email`, `password`)VALUES('$name','$email','$hash')"); echo '<strong>'.$name.'</strong><br/>'; echo '<strong>'.$email.'</strong><br/>'; echo 'This is the password:<strong>'.$pass.'</strong><br/>'; echo 'This is the encrypted password: <strong>'.$hash.'</strong><br/>test'; $con->close(); ?>You will also need a config.php to connect to your database.<?php $con = mysqli_connect("localhost","dbusername","dbpass","dbname"); if (mysqli_connect_errno()) { echo "Failed to connect to MySQL: " . mysqli_connect_error(); }else{ echo ""; } ?>