Filtering data using filter_var_array before storing it into a DB

[ajoo]

Hi all !

 

I have an array made up of strings of comma separated numbers and these strings are separated from each other by a space like this : "1,2,3,4   1,1,1,1   2,2,2,2   4,4,4,4   1,1,1   2,2,2   3,3,3 "  etc.

 

i.e. the array is made up of comma separated strings like 1,2,3,4 separated by a space and then another string 1,1,1,1.

I would like to know if I can use the filter_var_array for sanitizing these strings and how? If it is not possible to use the filter_var_array then how can I sanitize the array values before inserting them into a DB. Any help is highly appreciated.

 

Thanks all. 

 

 

 

[scootstah]

How are they stored? As a string like that?

[Psycho]

Sounds like you have a string and not an array - what is the DB field type that you are storing this in. Would seem this needs to be sanitized as a string. But, . . . 

 

If you are storing data as comma separated values into a DB, then you are doing it wrong. Without knowing what the data represents, it is impossible to provide concrete advice. But, I would think this should be stored in a single separate table. I will assume each "group" of numbers is a record and each value in the group correlates to different values. So, you might have a table that has fields such as this:

 

 id: primary key for the 'array' records

rec_id: a foreign key reference to the records for which this data is associated with

val_1: the first value

val_2: the second value

val_3: the third value

val_4: the fourth value

 

Obviously, the fields shoudl be given more descriptive names. But, that format allows you to associate one or more "records" (e.g. 1,2,3,4) to some other entity.

[ajoo]

Hi !! 

 

Thanks for that super fast response. Well I will elaborate a bit on the data. Its actually coming from flash and is stored there in an array.

trys_per_minute = Array();
.
.
                                           // trys_per_minute is filled with values
lvv.db_trys_per_minute = trys_per_minute; // (1,2,3,4 1,1,1,1 3,2,2,1, 1,2,2,1)  etc.
lvv.sendAndLoad(path+"trys.php",lvInn,"POST"); // & sent as POST array to PHP

Frankly I am not sure how these values will be handled in php whether as an array or as a string. Maybe you can guide me on how I should handle them on the PHP side.

 

What I do know is that I want to add these in the DB so that I may remove them and separate them on the spaces and then use each substring as a a independent string and further explode them at the ","  when I need to and extract the digits.  So How may I sanitize them before I add them into the DB.

 

I hope I am able to express myself make clearly here. 

 

Thanks very much.

Edited September 28, 2015 by ajoo

[ajoo]

Hi, 

 

So I tested a bit and i found that the array is translated into something like this :

 

4%2C3%2C4%2C3%20%2C4%2C3%2C4%2C3%20%2C2%2C3%2C2%2C3%20%2C3%2C3%2C3%2C3%20%2C3%2C3%2C3%2C3%20

 

and this is what is received in PHP. I guess this would be a long string that is received by PHP. Now then the question is how to sanitize this and such strings to ensure that they are composed of numbers, spaces and commas and maybe the - sign as well and do not have anything that could pose a security risk.

 

Thank you all.

[Jacques1]

There's really no such thing as “data sanitization”.

 

Security always depends on the specific context. The same data may be entirely harmless in one context and cause horrible damage in another context. So there isn't any universal function to make all input safe once and forever.

 

What you should so is parse the string and then insert the extracted numbers into your database system using prepared statements. Like Psycho already said, comma-separated values don't belong into an SQL table. One field is for one value (of course there are always exceptions, but this is a good rule of thumb).

 

Since prepared statements reliably prevent SQL injections, you won't have any security problems in your database-related code. If you use the data in a different context, you should use escape it using an appropriate function for this specific context (like htmlspecialchars() for HTML).

[Psycho]

The data you are receiving it url encoded. So, you should decode it first. Then parse the data into the specific values. You can then save the individual values into appropriate database fields.

 

Rough example:

 

$stringFromJava = "4%2C3%2C4%2C3%20%2C4%2C3%2C4%2C3%20%2C2%2C3%2C2%2C3%20%2C3%2C3%2C3%2C3%20%2C3%2C3%2C3%2C3%20";
$stringFromJava = urldecode($stringFromJava);
 
$outputAry = array();
$groups = explode(' ', $stringFromJava);
foreach($groups as $group)
{
    $valuesAry = array();
    $values = explode(',', $group);
    foreach($values as $value)
    {
        //If value is not numeric, skip it
        if(!is_numeric($value)) { continue; }
        //Add value to group values array
        $valuesAry[] = $value;
    }
 
    //Add validation logic for the group
    if(count($valuesAry) != 4)  { continue; }
 
    $outputAry[] = $valuesAry;
}
 
echo "<pre>" . print_r($outputAry, TRUE) . "<pre>";

 

Output:

 

Array
(
    [0] => Array
        (
            [0] => 4
            [1] => 3
            [2] => 4
            [3] => 3
        )
 
    [1] => Array
        (
            [0] => 4
            [1] => 3
            [2] => 4
            [3] => 3
        )
 
    [2] => Array
        (
            [0] => 2
            [1] => 3
            [2] => 2
            [3] => 3
        )
 
    [3] => Array
        (
            [0] => 3
            [1] => 3
            [2] => 3
            [3] => 3
        )
 
    [4] => Array
        (
            [0] => 3
            [1] => 3
            [2] => 3
            [3] => 3
        )
 
)

[ajoo]

Hi Jacques1 and Psycho. Thank you both for the inputs. Jacques1 really good to see you back after a long break !! Psycho thanks for that example. That should solve it for sure. 

 

Thanks again to both of you Gurus.