Viewed   74 times

There's like a million Q&A that explain the options like FILTER_FLAG_STRIP_LOW, but what does FILTER_SANITIZE_STRING do on its own, without any options? Does it just filter tags?



According to PHP Manual:

Strip tags, optionally strip or encode special characters.

According to W3Schools:

The FILTER_SANITIZE_STRING filter strips or encodes unwanted characters.

This filter removes data that is potentially harmful for your application. It is used to strip tags and remove or encode unwanted characters.

Now, that doesn't tell us much. Let's go see some PHP sources.


static const filter_list_entry filter_list[] = {                                       
    { "string",          FILTER_SANITIZE_STRING,        php_filter_string          },  
    { "stripped",        FILTER_SANITIZE_STRING,        php_filter_string          },  
    { "encoded",         FILTER_SANITIZE_ENCODED,       php_filter_encoded         },  

Now, let's go see how php_filter_string is defined.

/* {{{ php_filter_string */
void php_filter_string(PHP_INPUT_FILTER_PARAM_DECL)
    size_t new_len;
    unsigned char enc[256] = {0};

    /* strip high/strip low ( see flags )*/
    php_filter_strip(value, flags);

    if (!(flags & FILTER_FLAG_NO_ENCODE_QUOTES)) {
        enc['''] = enc['"'] = 1;
    if (flags & FILTER_FLAG_ENCODE_AMP) {
        enc['&'] = 1;
    if (flags & FILTER_FLAG_ENCODE_LOW) {
        memset(enc, 1, 32);
    if (flags & FILTER_FLAG_ENCODE_HIGH) {
        memset(enc + 127, 1, sizeof(enc) - 127);

    php_filter_encode_html(value, enc);

    /* strip tags, implicitly also removes  chars */
    new_len = php_strip_tags_ex(Z_STRVAL_P(value), Z_STRLEN_P(value), NULL, NULL, 0, 1);
    Z_STRLEN_P(value) = new_len;

    if (new_len == 0) {
        if (flags & FILTER_FLAG_EMPTY_STRING_NULL) {
        } else {

I'll skip commenting flags since they're already explained on the Internet, like you said, and focus on what is always performed instead, which is not so well documented.

First - php_filter_strip. It doesn't do much, just takes the flags you pass to the function and processes them accordingly. It does the well-documented stuff.

Then we construct some kind of map and call php_filter_encode_html. It's more interesting: it converts stuff like ", ', & and chars with their ASCII codes lower than 32 and higher than 127 to HTML entities, so & in your string becomes &. Again, it uses flags for this.

Then we get call to php_strip_tags_ex, which just strips HTML, XML and PHP tags (according to its definition in /ext/standard/string.c) and removes NULL bytes, like the comment says.

The code that follows it is used for internal string management and doesn't really do any sanitization. Well, not exactly - passing undocumented flag FILTER_FLAG_EMPTY_STRING_NULL will return NULL if the sanitized string is empty, instead of returning just an empty string, but it's not really that much useful. An example:

var_dump(filter_var("yo", FILTER_SANITIZE_STRING));
var_dump(filter_var("", FILTER_SANITIZE_STRING));


string(2) "yo"
string(2) "yo"
string(0) ""

There isn't much more going on, so the manual was fairly correct - to sum it up:

  • Always: strip HTML, XML and PHP tags, strip NULL bytes.
  • FILTER_FLAG_NO_ENCODE_QUOTES - This flag does not encode quotes.
  • FILTER_FLAG_STRIP_LOW - Strip characters with ASCII value below 32.
  • FILTER_FLAG_STRIP_HIGH - Strip characters with ASCII value above 127.
  • FILTER_FLAG_ENCODE_LOW - Encode characters with ASCII value below 32.
  • FILTER_FLAG_ENCODE_HIGH - Encode characters with ASCII value above 127.
  • FILTER_FLAG_ENCODE_AMP - Encode the & character to & (not &).
  • FILTER_FLAG_EMPTY_STRING_NULL - Return NULL instead of empty strings.
Saturday, December 10, 2022

mysql_real_escape_string() will escape any malicious characters. In addition, you can use a regex like /^[A-Za-z]{4}d{3}$/ to make sure that the user indeed entered a valid input.

Monday, August 8, 2022

Check out PHP Filter

Sunday, December 11, 2022

From the documentation, it seems like the :inverse_of option is a method for avoiding SQL queries, not generating them. It's a hint to ActiveRecord to use already loaded data instead of fetching it again through a relationship.

Their example:

class Dungeon < ActiveRecord::Base
  has_many :traps, :inverse_of => :dungeon
  has_one :evil_wizard, :inverse_of => :dungeon

class Trap < ActiveRecord::Base
  belongs_to :dungeon, :inverse_of => :traps

class EvilWizard < ActiveRecord::Base
  belongs_to :dungeon, :inverse_of => :evil_wizard

In this case, calling dungeon.traps.first.dungeon should return the original dungeon object instead of loading a new one as would be the case by default.

Thursday, November 3, 2022

Here's an excellent article with illustrations by a Google engineer:

PorterDuff is described as a way of combining images as if they were "irregular shaped pieces of cardboard" overlayed on each other, as well as a scheme for blending the overlapping parts.

The default Android way of composing images is PorterDuff.Mode.SRC_OVER, which equates to drawing the source image/color over the target image. In other words, it does what you would expect and draws the source image (the one you're drawing) on top of the destination image (the canvas) with the destination image showing through to the degree defined by the source image's alpha.

You can use the key below to understand the algebra that the Android docs use to describe the other modes (see the article for a fuller desription with similar terms).

  • Sa Source alpha
  • Sc Source color
  • Da Destination alpha
  • Dc Destination color

Where alpha is a value [0..1], and color is substituted once per channel (so use the formula once for each of red, green and blue)

The resulting values are specified as a pair in square braces as follows.


Where alpha-value and color-value are formulas for generating the resulting alpha chanel and each color chanel respectively.

Saturday, October 8, 2022
Only authorized users can answer the search term. Please sign in first, or register a free account.
Not the answer you're looking for? Browse other questions tagged :