ajoo Posted September 28, 2015 Share Posted September 28, 2015 Hi all ! I have an array made up of strings of comma separated numbers and these strings are separated from each other by a space like this : "1,2,3,4 1,1,1,1 2,2,2,2 4,4,4,4 1,1,1 2,2,2 3,3,3 " etc. i.e. the array is made up of comma separated strings like 1,2,3,4 separated by a space and then another string 1,1,1,1. I would like to know if I can use the filter_var_array for sanitizing these strings and how? If it is not possible to use the filter_var_array then how can I sanitize the array values before inserting them into a DB. Any help is highly appreciated. Thanks all. Quote Link to comment https://forums.phpfreaks.com/topic/298346-filtering-data-using-filter_var_array-before-storing-it-into-a-db/ Share on other sites More sharing options...
scootstah Posted September 28, 2015 Share Posted September 28, 2015 How are they stored? As a string like that? Quote Link to comment https://forums.phpfreaks.com/topic/298346-filtering-data-using-filter_var_array-before-storing-it-into-a-db/#findComment-1521732 Share on other sites More sharing options...
Psycho Posted September 28, 2015 Share Posted September 28, 2015 Sounds like you have a string and not an array - what is the DB field type that you are storing this in. Would seem this needs to be sanitized as a string. But, . . . If you are storing data as comma separated values into a DB, then you are doing it wrong. Without knowing what the data represents, it is impossible to provide concrete advice. But, I would think this should be stored in a single separate table. I will assume each "group" of numbers is a record and each value in the group correlates to different values. So, you might have a table that has fields such as this: id: primary key for the 'array' records rec_id: a foreign key reference to the records for which this data is associated with val_1: the first value val_2: the second value val_3: the third value val_4: the fourth value Obviously, the fields shoudl be given more descriptive names. But, that format allows you to associate one or more "records" (e.g. 1,2,3,4) to some other entity. Quote Link to comment https://forums.phpfreaks.com/topic/298346-filtering-data-using-filter_var_array-before-storing-it-into-a-db/#findComment-1521734 Share on other sites More sharing options...
ajoo Posted September 28, 2015 Author Share Posted September 28, 2015 (edited) Hi !! Thanks for that super fast response. Well I will elaborate a bit on the data. Its actually coming from flash and is stored there in an array. trys_per_minute = Array(); . . // trys_per_minute is filled with values lvv.db_trys_per_minute = trys_per_minute; // (1,2,3,4 1,1,1,1 3,2,2,1, 1,2,2,1) etc. lvv.sendAndLoad(path+"trys.php",lvInn,"POST"); // & sent as POST array to PHP Frankly I am not sure how these values will be handled in php whether as an array or as a string. Maybe you can guide me on how I should handle them on the PHP side. What I do know is that I want to add these in the DB so that I may remove them and separate them on the spaces and then use each substring as a a independent string and further explode them at the "," when I need to and extract the digits. So How may I sanitize them before I add them into the DB. I hope I am able to express myself make clearly here. Thanks very much. Edited September 28, 2015 by ajoo Quote Link to comment https://forums.phpfreaks.com/topic/298346-filtering-data-using-filter_var_array-before-storing-it-into-a-db/#findComment-1521739 Share on other sites More sharing options...
ajoo Posted September 28, 2015 Author Share Posted September 28, 2015 Hi, So I tested a bit and i found that the array is translated into something like this : 4%2C3%2C4%2C3%20%2C4%2C3%2C4%2C3%20%2C2%2C3%2C2%2C3%20%2C3%2C3%2C3%2C3%20%2C3%2C3%2C3%2C3%20 and this is what is received in PHP. I guess this would be a long string that is received by PHP. Now then the question is how to sanitize this and such strings to ensure that they are composed of numbers, spaces and commas and maybe the - sign as well and do not have anything that could pose a security risk. Thank you all. Quote Link to comment https://forums.phpfreaks.com/topic/298346-filtering-data-using-filter_var_array-before-storing-it-into-a-db/#findComment-1521746 Share on other sites More sharing options...
Jacques1 Posted September 28, 2015 Share Posted September 28, 2015 There's really no such thing as “data sanitization”. Security always depends on the specific context. The same data may be entirely harmless in one context and cause horrible damage in another context. So there isn't any universal function to make all input safe once and forever. What you should so is parse the string and then insert the extracted numbers into your database system using prepared statements. Like Psycho already said, comma-separated values don't belong into an SQL table. One field is for one value (of course there are always exceptions, but this is a good rule of thumb). Since prepared statements reliably prevent SQL injections, you won't have any security problems in your database-related code. If you use the data in a different context, you should use escape it using an appropriate function for this specific context (like htmlspecialchars() for HTML). 1 Quote Link to comment https://forums.phpfreaks.com/topic/298346-filtering-data-using-filter_var_array-before-storing-it-into-a-db/#findComment-1521751 Share on other sites More sharing options...
Solution Psycho Posted September 28, 2015 Solution Share Posted September 28, 2015 The data you are receiving it url encoded. So, you should decode it first. Then parse the data into the specific values. You can then save the individual values into appropriate database fields. Rough example: $stringFromJava = "4%2C3%2C4%2C3%20%2C4%2C3%2C4%2C3%20%2C2%2C3%2C2%2C3%20%2C3%2C3%2C3%2C3%20%2C3%2C3%2C3%2C3%20"; $stringFromJava = urldecode($stringFromJava); $outputAry = array(); $groups = explode(' ', $stringFromJava); foreach($groups as $group) { $valuesAry = array(); $values = explode(',', $group); foreach($values as $value) { //If value is not numeric, skip it if(!is_numeric($value)) { continue; } //Add value to group values array $valuesAry[] = $value; } //Add validation logic for the group if(count($valuesAry) != 4) { continue; } $outputAry[] = $valuesAry; } echo "<pre>" . print_r($outputAry, TRUE) . "<pre>"; Output: Array ( [0] => Array ( [0] => 4 [1] => 3 [2] => 4 [3] => 3 ) [1] => Array ( [0] => 4 [1] => 3 [2] => 4 [3] => 3 ) [2] => Array ( [0] => 2 [1] => 3 [2] => 2 [3] => 3 ) [3] => Array ( [0] => 3 [1] => 3 [2] => 3 [3] => 3 ) [4] => Array ( [0] => 3 [1] => 3 [2] => 3 [3] => 3 ) ) 1 Quote Link to comment https://forums.phpfreaks.com/topic/298346-filtering-data-using-filter_var_array-before-storing-it-into-a-db/#findComment-1521788 Share on other sites More sharing options...
ajoo Posted September 29, 2015 Author Share Posted September 29, 2015 Hi Jacques1 and Psycho. Thank you both for the inputs. Jacques1 really good to see you back after a long break !! Psycho thanks for that example. That should solve it for sure. Thanks again to both of you Gurus. Quote Link to comment https://forums.phpfreaks.com/topic/298346-filtering-data-using-filter_var_array-before-storing-it-into-a-db/#findComment-1521828 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.