87
PHP seCurIty tools overvIew
FILTER_SANITIZE_STRING: Removes invalid data from string.
$untrusted = '<script>alert('Attack');</script>';
$safe = filter_var($untrusted, FILTER_SANITIZE_STRING);
e script tags are removed, and output is: alert(‘Attack’)
FILTER_SANITIZE_ENCODED: Encodes dangerous script tags in string.
$untrusted = '<script>alert('Attack');</script>';
$safe = filter_var($untrusted, FILTER_SANITIZE_ENCODED);
Encodes all punctuation, spaces, and angle brackets into HTML entities.
Output is:
%3Cscript%3Ealert%28%27ATTACK%27%29%3B%3C%2Fscript%3E
FILTER_SANITIZE_SPECIAL_CHARS: HTML encodes special characters like
quotes, ampersands, and angle brackets.
$untrusted = '<script>alert('Attack');</script>';
$encoded = filter_var($untrusted, FILTER_SANITIZE_SPECIAL_CHARS); ...