Sanitize Filter Flag not working properly?

[wolfcry]

Hey all,

 

While the filter itself is functioning properly, the flag doesn't seem to be.

 

Here's how I have it set up:

 

	$UserInput = filter_var($UserInput , FILTER_SANITIZE_STRING, FILTER_FLAG_STRIP_LOW); // Test Format 1

	$UserInput  = filter_input(INPUT_POST, 'UserInput', FILTER_SANITIZE_STRING, FILTER_FLAG_STRIP_LOW);  // Test Format 2

 

As you can see, I have set up to test methods however, each one fails regarding the flag..or so it's seeming to me.

 

FILTER_FLAG_STRIP_LOW is supposed to strip out anything > 32 in ascii, but it isn't. '&' (38) is greater than 32 but it still displays in the browser.

 

Am I missing something here?

 

[Psycho]

Well, if you look at the user notes on the Sanitize filters manual page it looks like there is no consensus over what FILTER_FLAG_STRIP_LOW really does.

 

http://www.php.net/manual/en/filter.filters.sanitize.php

 

You might need to find an alternative function or build your own to do what you need.

[wolfcry]

Hey Psycho,

 

Yeah, I know. The manual is really dropping the ball on that one IMHO.

 

I have done quite a bit of research into it and I believe w3schools did a short blurb on it but from what I do find, it's basically repeating what the manual says without going into much detail.

 

Well, I guess it's preg_match() all over again lol.

[Psycho]

Hey Psycho,

 

Yeah, I know. The manual is really dropping the ball on that one IMHO.

 

I have done quite a bit of research into it and I believe w3schools did a short blurb on it but from what I do find, it's basically repeating what the manual says without going into much detail.

 

Well, I guess it's preg_match() all over again lol.

 

Well, what are you trying to achieve?

[wolfcry]

Removing special characters such as & for instance. The filter flag was supposed to do that but I guess not.

[Psycho]

Wait, why would you think FILTER_FLAG_STRIP_LOW would strip out the ampersand? Per the manual FILTER_FLAG_STRIP_LOW will strip out characters less than 32. The ampersand is character 38 in the ASCII table. After a quick look at the ASCII table it look slike there are no "printable" characters that are less than 32 only white-space and control characters (line breaks, tabs, etc.). If it worked as you stated it should it would be stripping all the "printable" characters: letters, numbers, etc.

 

 

http://www.php.net/manual/en/filter.filters.flags.php

FILTER_FLAG_STRIP_LOW: Strips characters that has a numerical value <32

[wolfcry]

That's too funny lol. I must have pasted what I was currently working on which was there as a comparison test. Oy, it's going to be one of them days 

 

I'm actually using FILTER_FLAG_STRIP_HIGH which isn't working as it should.

 

[Psycho]

I'm actually using FILTER_FLAG_STRIP_HIGH which isn't working as it should.

 

Really? You might want to take a look at an ASCII table (http://www.asciitable.com/). FILTER_FLAG_STRIP_HIGH is supposed to strip everything out with a character code > 127. Those characters are not ones you find on your keyboard. They include characters such as Ç, â, ▓, ¥, ½. The ampersand is character code 38 and would not be covered be either FILTER_FLAG_STRIP_LOW or FILTER_FLAG_STRIP_HIGH. I did some tests and both flags are working as I would expect.

[wolfcry]

Yep, and thanks for the links but I really don't need them. If you re-read my OP you'll see that I already indicate the ASCII value of &, hence why I thought it wasn't working.

 

In either case, I'm not sure why I thought that unless I read it wrong. I could have sworn I read an example with it saying all ASCII characters greater than 32 were stripped, but then again, I might have just gotten the greater than or less than signs reversed.

 

Hmm, strange. I do know that FILTER_SANITIZE_SPECIAL_CHARS will encode those symbols but that's not what I'm looking to do because that's more of an output usage (equivalent to htmlentities() in my book). I simply want to strip them out completely. Oh well, I'll think of something.

[kicken]

Decide which characters you'll allow then remove everything else using a regex.

 

$re = '/[a-z0-9]/i';
$UserInput = preg_replace($re, '', $UserInput);

 

Would allow only A-Z (upper and lower) and 0-9

 

[wolfcry]

Hey kicken,

 

That's exactly what I ended up doing. Went the ole' regex route. Though, I have to admit, I was really excited when I "thought" I had read that a filter would do that for me without needing to write additional code. It's a cruel world