You need to sanitize your string before you insert them into your databases. We show you how to do that in this lesson with “FILTER_SANITIZE_STRING”, “FILTER_SANITIZE_EMAIL” and “FILTER_FLAG_STRIP_HIGH”. We use jQuery and AJAX to pass the variables to the processor. This lesson is a continuation of the last lesson Create Secure Password Sign Up Script With PHP jQuery and AJAX.
Resources for Sanitizing a String in PHP
There are several different ways of sanitizing a string before you insert it into your database. Here are a few.
- FILTER_SANITIZE_EMAIL This will create a filter for email addresses. In the video tutorial I put a flag on this sanitize function but that is not necessary. I corrected it in the code below.
- FILTER_SANITIZE_ENCODED This will encode a URL string.
- FILTER_SANITIZE_MAGIC_QUOTES This will use the addslashes() PHP function to escape quotes.
- FILTER_SANITIZE_STRING This will strip tags and encode special characters.
We also use mysqli_real_escape_string to sanitize strings when inserting into our database. This will escape special characters in a string to use in mysql.
This function is used to create a legal SQL string that you can use in an SQL statement. The given string is encoded to an escaped SQL string, taking into account the current character set of the connection.