{"id":195,"date":"2012-01-31T20:48:37","date_gmt":"2012-01-31T20:48:37","guid":{"rendered":"https:\/\/ibex.tech\/cloud\/?p=195"},"modified":"2025-09-25T13:02:10","modified_gmt":"2025-09-25T12:02:10","slug":"sanitising-strings","status":"publish","type":"post","link":"https:\/\/ibex.tech\/cloud\/php\/strings\/sanitising-strings","title":{"rendered":"Sanitising & encoding strings"},"content":{"rendered":"\n

Sanitising for HTML<\/h4>\n\n\n\n
$MyString = htmlspecialchars($MyString, ENT_QUOTES);<\/code><\/pre>\n\n\n\n
\/\/ '&' (ampersand) becomes '&'\n\/\/ '\"' (double quote) becomes '\"'\n\/\/ \"'\" (single quote) becomes '''\n\/\/ '<' (less than) becomes '<'\n\/\/ '>' (greater than) becomes '>' <\/code><\/pre>\n\n\n\n
Convert special HTML entities back to characters<\/h5>\n\n\n\n
$MyString = htmlspecialchars_decode($MyString);<\/code><\/pre>\n\n\n\n
URL Encode and Decode<\/h4>\n\n\n\n
Returns a string in which all non-alphanumeric characters except -_. have been replaced with a percent (%) sign followed by two hex digits and spaces encoded as plus (+) signs.   A space is encoded to %20 in URLs, and to + in forms submitted data (content type application\/x-www-form-urlencoded).<\/p>\n\n\n\n
  $UrlString = urlencode($OriginalString);\n  $OriginalString = urldecode($UrlString);<\/code><\/pre>\n\n\n\n
Sanitising for HTML from a form POST<\/h4>\n\n\n\n
See page here<\/a>.<\/p>\n\n\n\n
filter_var() function<\/h4>\n\n\n\n
Returns the input string filtered, or FALSE if it was unable to perform the sanitization (e.g. due to an illegal character)<\/p>\n\n\n\n
  if ( ($MyVariable = filter_var($EnteredEmail, FILTER_SANITIZE_EMAIL)) !== False )<\/code><\/pre>\n\n\n\n
See here<\/a> for all the available filter options<\/p>\n\n\n\n
See here<\/a> for examples of using filter_var().<\/p>\n\n\n\n
Example<\/h5>\n\n\n\n
  $MyString = \"This is my sample text, with special chars. #%!\\\"'^-_\u00a3&\";\n  echo \"Start string: $MyString<br>\";\n  \n  $MyString = urlencode($MyString);\n  echo \"urlencode(): $MyString<br>\";\n  \n  $MyString = urldecode($MyString);\n  echo \"urldecode(): $MyString<br>\";\n\n  \/\/Produces:\n  \/\/  Start string: This is my sample text, with special chars. #%!\"'^-_\u00a3&\n  \/\/  urlencode(): This+is+my+sample+text%2C+with+special+chars.+%23%25%21%22%27%5E-_%C2%A3%26\n  \/\/  urldecode(): This is my sample text, with special chars. #%!\"'^-_\u00a3&<\/code><\/pre>\n\n\n\n
If wanting to pass a file url in an argument you can do this<\/h5>\n\n\n\n
\/\/The HTML Link with the URL argument  \n$Url .= '<a href=\"\/my_file?iurl=' . urlencode($MyStringContainingAUrl) . '\/\" >';    \/\/We add a trailing '\/' otherwise a file extension period '.' in $MyStringContainingAUrl buggers up the argument being seen as one and not a file link to the browser\n  \n\/\/The page the argument was passed to\n$MyStringContainingAUrl .= '<img src=\"' . rtrim(urldecode($_REQUEST['iurl']), '\/') . '\" >';      \/\/Remove the trailing '\/' that was added to avoid the period breaking the url argument<\/code><\/pre>\n\n\n\n
PHP adds back slash before forward slash<\/h4>\n\n\n\n
(e.g. \/ becomes \\\/ )<\/p>\n\n\n\n
It’s a JSON issue.  JSON escapes all special characters by default. When decoded, you will get original value back without the backslash.  If its causing issues you need to resolve see stripslashes tip about needing to be at final echo  here<\/a>.<\/p>\n\n\n\n
General PHP only use<\/h4>\n\n\n\n
function SanitizeString($var)\n{\n\t$var = strip_tags($var);\n\t$var = htmlentities($var);\n\treturn stripslashes($var);\n}\n\/\/OR JUST USE THIS\n$my_string = stripslashes(htmlentities(strip_tags($my_string)));<\/code><\/pre>\n\n\n\n
htmlentities<\/span><\/p>\n\n\n\n
htmlentities() converts things like < > ” \\ etc into HTML strings like &lt; so they become harmless.<\/p>\n\n\n\n
  $CameFromPage = htmlentities($_SERVER['HTTP_REFERER']);<\/code><\/pre>\n\n\n\n
Stopping New Lines In A Text Box Being Converted To <br \/><\/h4>\n\n\n\n
$my_text = mysqli_real_escape_string($dblink, str_replace(\"\\r\\n\",\" \",$_POST['myform_text_field'])); <\/code><\/pre>\n","protected":false},"excerpt":{"rendered":"
Sanitising for HTML Convert special HTML entities back to characters URL Encode and Decode Returns a string in which all non-alphanumeric characters except -_. have been replaced with a percent (%) sign followed by two hex digits and spaces encoded as plus (+) signs. A space is encoded to %20 in URLs, and to + […]<\/p>\n","protected":false},"author":5,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[34,19],"tags":[],"class_list":["post-195","post","type-post","status-publish","format-standard","hentry","category-security","category-strings"],"_links":{"self":[{"href":"https:\/\/ibex.tech\/cloud\/wp-json\/wp\/v2\/posts\/195","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ibex.tech\/cloud\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ibex.tech\/cloud\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ibex.tech\/cloud\/wp-json\/wp\/v2\/users\/5"}],"replies":[{"embeddable":true,"href":"https:\/\/ibex.tech\/cloud\/wp-json\/wp\/v2\/comments?post=195"}],"version-history":[{"count":33,"href":"https:\/\/ibex.tech\/cloud\/wp-json\/wp\/v2\/posts\/195\/revisions"}],"predecessor-version":[{"id":5123,"href":"https:\/\/ibex.tech\/cloud\/wp-json\/wp\/v2\/posts\/195\/revisions\/5123"}],"wp:attachment":[{"href":"https:\/\/ibex.tech\/cloud\/wp-json\/wp\/v2\/media?parent=195"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ibex.tech\/cloud\/wp-json\/wp\/v2\/categories?post=195"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ibex.tech\/cloud\/wp-json\/wp\/v2\/tags?post=195"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}