filter_var function

[jimfog]

I am in the proccess of validating the form-so far I have used custom functions.Recently I came across with the filter_var function and I wanted to know if someone has used and what is his opinion about it. Should I leave control of validation/sanitization completely to this function?Someone might argue that this depends on my needs, but I wanted to hear views anyway.

[birbal]

It is best to use inbuilt validation function. it has common validation like URL,email in built without any use of regex. also it have facility for regex based validation and even custom rule validation using callable function. more over that it is native code of php so it is faster. One advantage of it is you can built an array of validation rules and use it in form generation and validation in one place.

[jimfog]

I used the filter sanitize_string for a phone form field.And what surprised is the multiple dashes(------) are considered valid. So custom checks are needed to(usage of regular expressions) along with the filters of course.

[jimfog]

filter_var with SANITIZE_STRING just strips the input from tags like h2, h1 br etc...I think more is needed.When it comes to strings like city, address etc where there is no validate filter available(like there is e-mail for example)-more must be done.Custom checks might be needed.

[jeffman]

For city and address, there may be nothing you can do. Even in one country, there are many different ways to write an address. Your best bet is to make sure there is no HTML in the text, no javascript, and if you are saving this in a database, always prevent SQL injection. You can Google that.

[jimfog]

...make sure there is no HTML in the text, no javascript,

When we say "escape output", do we mean the above?Does sanitization takes care of that?

[birbal]

escaping is different than sanitinzing or filtering sanitinizing: Removing unwanted characters from input and return the result string validation: Check for existance of unwanted characters and pass if it matches otherwise not, returns like boolean escape: marking some character so that in particular context it will have different meaning than usual meaning of charcter. eg

echo "hello world \n";

we use '\' to escape 'n' which is distinct from ordinary 'n' and represents new line. another eg echo "it is \" quoted \" string";

[jimfog]

Furthermore your explanation of sanitization/validation is messy. You are saying essentially that sanitization is the same with validation:Since-according to you-they both check for unwanted characters. Anyway...I found some resources in the web about these two and it is clear now to me. About escaping....I have understood what is all about.

Edited February 18, 2013 by jimfog