Jump to content

Filtering data using filter_var_array before storing it into a DB


ajoo
Go to solution Solved by Psycho,

Recommended Posts

Hi all !

 

I have an array made up of strings of comma separated numbers and these strings are separated from each other by a space like this : "1,2,3,4   1,1,1,1   2,2,2,2   4,4,4,4   1,1,1   2,2,2   3,3,3 "  etc.

 

i.e. the array is made up of comma separated strings like 1,2,3,4 separated by a space and then another string 1,1,1,1.

I would like to know if I can use the filter_var_array for sanitizing these strings and how? If it is not possible to use the filter_var_array then how can I sanitize the array values before inserting them into a DB. Any help is highly appreciated.

 

Thanks all. 

 

 

 

Link to comment
Share on other sites

Sounds like you have a string and not an array - what is the DB field type that you are storing this in. Would seem this needs to be sanitized as a string. But, . . . 

 

If you are storing data as comma separated values into a DB, then you are doing it wrong. Without knowing what the data represents, it is impossible to provide concrete advice. But, I would think this should be stored in a single separate table. I will assume each "group" of numbers is a record and each value in the group correlates to different values. So, you might have a table that has fields such as this:

 

 id: primary key for the 'array' records

rec_id: a foreign key reference to the records for which this data is associated with

val_1: the first value

val_2: the second value

val_3: the third value

val_4: the fourth value

 

Obviously, the fields shoudl be given more descriptive names. But, that format allows you to associate one or more "records" (e.g. 1,2,3,4) to some other entity.

Link to comment
Share on other sites

Hi !! 

 

Thanks for that super fast response. Well I will elaborate a bit on the data. Its actually coming from flash and is stored there in an array.

trys_per_minute = Array();
.
.
                                           // trys_per_minute is filled with values
lvv.db_trys_per_minute = trys_per_minute; // (1,2,3,4 1,1,1,1 3,2,2,1, 1,2,2,1)  etc.
lvv.sendAndLoad(path+"trys.php",lvInn,"POST"); // & sent as POST array to PHP

Frankly I am not sure how these values will be handled in php whether as an array or as a string. Maybe you can guide me on how I should handle them on the PHP side.

 

What I do know is that I want to add these in the DB so that I may remove them and separate them on the spaces and then use each substring as a a independent string and further explode them at the ","  when I need to and extract the digits.  So How may I sanitize them before I add them into the DB.

 

I hope I am able to express myself make clearly here. 

 

Thanks very much.

Edited by ajoo
Link to comment
Share on other sites

Hi, 

 

So I tested a bit and i found that the array is translated into something like this :

 

4%2C3%2C4%2C3%20%2C4%2C3%2C4%2C3%20%2C2%2C3%2C2%2C3%20%2C3%2C3%2C3%2C3%20%2C3%2C3%2C3%2C3%20

 

and this is what is received in PHP. I guess this would be a long string that is received by PHP. Now then the question is how to sanitize this and such strings to ensure that they are composed of numbers, spaces and commas and maybe the - sign as well and do not have anything that could pose a security risk.

 

Thank you all.

Link to comment
Share on other sites

There's really no such thing as “data sanitization”.

 

Security always depends on the specific context. The same data may be entirely harmless in one context and cause horrible damage in another context. So there isn't any universal function to make all input safe once and forever.

 

What you should so is parse the string and then insert the extracted numbers into your database system using prepared statements. Like Psycho already said, comma-separated values don't belong into an SQL table. One field is for one value (of course there are always exceptions, but this is a good rule of thumb).

 

Since prepared statements reliably prevent SQL injections, you won't have any security problems in your database-related code. If you use the data in a different context, you should use escape it using an appropriate function for this specific context (like htmlspecialchars() for HTML).

  • Like 1
Link to comment
Share on other sites

  • Solution

The data you are receiving it url encoded. So, you should decode it first. Then parse the data into the specific values. You can then save the individual values into appropriate database fields.

 

Rough example:

 

$stringFromJava = "4%2C3%2C4%2C3%20%2C4%2C3%2C4%2C3%20%2C2%2C3%2C2%2C3%20%2C3%2C3%2C3%2C3%20%2C3%2C3%2C3%2C3%20";
$stringFromJava = urldecode($stringFromJava);
 
$outputAry = array();
$groups = explode(' ', $stringFromJava);
foreach($groups as $group)
{
    $valuesAry = array();
    $values = explode(',', $group);
    foreach($values as $value)
    {
        //If value is not numeric, skip it
        if(!is_numeric($value)) { continue; }
        //Add value to group values array
        $valuesAry[] = $value;
    }
 
    //Add validation logic for the group
    if(count($valuesAry) != 4)  { continue; }
 
    $outputAry[] = $valuesAry;
}
 
echo "<pre>" . print_r($outputAry, TRUE) . "<pre>";

 

Output:

 

Array
(
    [0] => Array
        (
            [0] => 4
            [1] => 3
            [2] => 4
            [3] => 3
        )
 
    [1] => Array
        (
            [0] => 4
            [1] => 3
            [2] => 4
            [3] => 3
        )
 
    [2] => Array
        (
            [0] => 2
            [1] => 3
            [2] => 2
            [3] => 3
        )
 
    [3] => Array
        (
            [0] => 3
            [1] => 3
            [2] => 3
            [3] => 3
        )
 
    [4] => Array
        (
            [0] => 3
            [1] => 3
            [2] => 3
            [3] => 3
        )
 
)
  • Like 1
Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.