Quick and Dirty Content Filtering with PHP

The PHP language includes lots of helpful functions for easily filtering, cleaning and manipulating content, all of which are excellent tools in the hands of a skilled developer. A solid knowledge of these filtering tools will help you achieve enhanced security and functionality in your projects.

Today, I’m going to give you a crash course on PHP’s basic filtering functions so that by the end of the tutorial you’ll be able to easily escape data, strip tags, remove words and more.

Escaping Strings

First up is string escaping, implemented with what is probably the most basic of PHP’s filtering functions – addslashes(). This function escapes single quotes, double quotes and backslashes for you, allowing you to (more) safely accept form data, etc. Say for example you have an input field (named ‘title’)and someone types "Suzie's Blog". Those double and single quotes can cause some problems, but not for long:

$title = addslashes($_POST['title']);
//$title is now safe to use!

echo $title;
//outputs \"Suzie\'s Blog\"

As you might guess, addslashes() has an inverse function: stripslashes(). On a side note, in case you ever find yourself developing a custom WordPress plugin, stripslashes() is incredibly useful for removing the slashes that WordPress adds to saved options values.

So all this is pretty handy, but for MySQL queries it’s smart to use something a bit more powerful. Up next-

Escaping MySQL Queries

MySQL injection attacks are a very real concern, making data sanitation a must for any web developer. Thankfully, mysql_real_escape_string() provides a way to easily and safely escape dangerous characters from a MySQL query before executing it. This is perhaps the most often used PHP sanitation function. Here’s an example:

$title = $_POST['title'];
//$title could be anything, including an injection

$title = mysql_real_escape_string($title);
//It's now safe:
mysql_query('INSERT INTO blogs(title) VALUES($title)');

This function is one that anyone working with PHP and MySQL will use quite often – it’s elegant and potent (it even works on binary data).

Encoding HTML Entities

Htmlentities() is another fun and useful function. It will take automatically encode character entities like < (&) and “ ("). It's most useful for taking non-malicious user input that simply has special characters in it and formatting them for display. Here’s how you might use it, supposing someone submitted a title called Me & My Dog, "Buddyquot; > An Essay:

$title = $_POST['title'];

$title = htmlentities($title);
//encode the string

echo $title;
//outputs a correctly encoded title

This function isn’t designed to be a security filter (for filtering malicious data), it’s simply a convenient way to make sure user data is encoded correctly. It also has an inverse function, html_entity_decode().

Stripping Tags

Sometimes you don’t want to just encode html tags, you want to strip them out completely. PHP’s strip_tags() is the perfect solution, doing just what the function name implies. Say someone sends in malicious data:

$title = $_POST['title'];
//$title's value = "Happy <script src='http://evilsite.com/hack.js'></script> Birthday!"

$title = strip_tags($title);
//remove dangerous tags

echo $title;
//outputs "Happy Birthday"

That’s it – all tags are removed just like that. A useful function indeed. But what about if you want to strip some tags (like script, img) but leave some (strong, a, p). Read on!

Advanced Data Filtering

These functions that we’ve just been through will work the majority of the time, but there will be situations where they aren’t quite versatile or powerful enough. Thanfully, we have regular expressions. Using some regexp patterns and the powerful PHP function preg_replace(), we can filter, strip, replace, or remove pretty much anything we want without much trouble at all. Believe me, this thing is powerful.

You can check out more about preg_replace() here, but the basic idea is that it accepts two arguments – what to look for (called a needle) and what to look in (called a haystack). The needle and haystack can be strings or arrays (if you have multiple phrases/words/patterns to search for).

Here’s an example of how you’d set up preg_replace to strip all script tags and leave other tags:

$dangerous_content = "Hello, <script type='text/javascript'>alert('hacked!')</script> how are you?"
//this is the malicious content we need to sanitize

$script_tags = "/\<script +(.+)<\/script>+/i";
//match anything between opening and closing script tags

$fixed_content = preg_replace($script_tags, '', $dangerous_content);
//malicious scripts have now been removed!

You could also set it up to strip out a series of forbidden words (profanity, spam words, etc.) like this:

$forbidden = array('forbidden1','forbidden2','forbiddenN');
//these words are the ones that will be stripped out

$fixed_content = preg_replace($forbidden, '', $_POST['comment_text']);
//goodbye, forbidden words

As you can see, it’s actually surprisingly easy to manipulate data with PHP and prepare it for use. Nothing stands in your way!

Find Out More

Before you go, here are some more great tutorials on PHP filtering, validation and sanitation:

Thanks for reading, and please share your feedback in the comments!

Written By Nick Parsons

Nick is the editor of Webitect and a developer + designer from Houston TX.

23 Comments

  1. derschreckliche

    April 29th, 2010 at 05:29 pm

    Nice composition of useful php functions.
    In the MySQL example you maybe want to assign the escaped string to a variable before using it further:

    $title = mysql_real_escape_string($title);

  2. iVicta

    April 30th, 2010 at 03:24 am

    Htmlentities() links is wrong ;)
    Thanks, nice article !

  3. iVicta

    April 30th, 2010 at 03:30 am

    And you have forgot to close a link ! Anyway… ;)

  4. Keloran

    April 30th, 2010 at 04:44 am

    You missed off filter

    filter_var
    filter_input

    which can be used to get rid of extra stuff, and also have validator code (e.g. emails so you dont need mental regex’s)

  5. Nick Parsons

    April 30th, 2010 at 07:34 am

    @derschreckliche- Thanks for the feedback, and good catch on the variable assignment. It’s fixed now!

    @iVicta- Wow, I guess I was tired :) Thanks, and I’m glad you enjoyed the article.

    @Keloran- Actually, I intentionally left out filter_var and filter_input because that was covered so well on Nettuts in their article I linked to: Sanitize and Validate Data with PHP Filters. I wanted to keep this article relatively basic and not rehash something that had already been covered so well. Thanks for mentioning it, though.

  6. nestdev

    April 30th, 2010 at 09:58 pm

    Hi Nick !, that’s nice article. submit and promote your article in http://nestdev.com. thank’s :)

  7. Antonio

    May 24th, 2010 at 03:16 pm

    Great article, the functions above a great for basic filtering and sanitazing input but if you want to a more robust way of filtering you should check out the PECL filters here http://us.php.net/filter

  8. Google rank Checker

    September 6th, 2010 at 11:58 pm

    This is a good article,which is use full for beginners..thanks for sharing a source code environment on this blog..

  9. abyz

    September 27th, 2010 at 02:42 am

    Thanks ! in facts it’s not so difficult to protect with php … good tutorial

  10. Martin

    October 9th, 2010 at 06:14 pm

    instead of htmlentities, it’s better to use htmlspecialchars($stringToEscape, ENT_QUOTES) because it’s faster and escapes all necessary characters.
    good article, thank you!

  11. robert

    November 8th, 2010 at 10:21 pm

    9Py8Mu http://cje6CgslLk0ds3Nnto7djJaor.com

  12. etatvasoft

    November 17th, 2010 at 12:18 am

    Content filtering can be divided into Web filtering, the screening of Web sites or pages, and e-mail filtering, the screening of e-mail for spam or other objectionable content. Through PHP now we can short it out this problem so, PHP is a powerful language.

  13. Brett Widmann

    December 9th, 2010 at 09:52 am

    This is a great resource. I will be refering to this in the future. Thanks!

  14. Donny Bahama

    April 27th, 2011 at 10:19 am

    You might want to apply some of those filtering techniques to your comments section. ;)

    Doesn’t look good…

  15. siamon hasan

    May 31st, 2011 at 07:19 am

    its more easy way to use…

    function clean($str) {
    $str = @trim($str);
    if(get_magic_quotes_gpc()) {
    $str = stripslashes($str);
    }
    return mysql_real_escape_string($str);
    }

    ex: $title =clean( $_POST['title']);

  16. Federico Bucchi

    November 27th, 2011 at 05:40 pm

    Nice article, I use all of this function

  17. Bvdkisej

    May 2nd, 2012 at 08:39 am

    Incorrect PIN http://ymiqopeyjer.blog.free.fr/ perteen girls bbs Hmmm… yeah, sober dude, completely trashed chick. What are the odds she didn’t remember a thing in the morning, and no one told her she got rammed either? :-X

  18. Jptprgeo

    May 4th, 2012 at 09:06 pm

    Will I get travelling expenses? http://idymohiasa.de.tl incest nymphet she is hot! look at those big puffy nipples! shes very nice and i like his dick and wow what a cumshot! yum

  19. Modljqql

    April 8th, 2013 at 08:50 am

    Get a job http://www.zoji.com/1230676 preteen lolita cartoon art Her name is Bruna Ferraz, brazilian pornstar and escort. Unfortunately she charges one grand for a couple of hours so I never banged her.

  20. Aazzgwkk

    April 9th, 2013 at 10:49 pm

    I sing in a choir http://community.parents.com/asumouooi/blog/2013/04/04/lolita_kingdom_nude_pics russian lolita sex clips That was just the best,, seeing her little white pussy getting done real good, with a big black cock,, every white girl dreams of getting the big black cock up inside them,, dont you ladies,????

  21. Gjuzgpuq

    April 9th, 2013 at 10:49 pm

    Good crew it’s cool :) lolitas preteens 14 15 omg sasha is soo dam sexy n wild, i dont like the smacking but omg i want her to fuck me soo baddd

  22. Taylor

    April 9th, 2013 at 11:02 pm

    We were at school together tiny russian lolita pussys Such a fucker… she look so cute and calm at start and he begin to be violent omg that suck

  23. Sophia

    April 9th, 2013 at 11:07 pm

    I study here junior young lolita bbs Just the three girls fucking me in the ass with huge dildoes would be fantastic

What Do You Think?