I sanitise the data I receive from the form in the following way:
$gender = filter_var($_POST['gender'], FILTER_SANITIZE_STRING);
$firstName = filter_var($_POST['firstName'], FILTER_SANITIZE_STRING);
$lastName = filter_var($_POST['lastName'], FILTER_SANITIZE_STRING);
$email = filter_var($_POST['email'], FILTER_SANITIZE_EMAIL);
$message = filter_var($_POST['comment'], FILTER_SANITIZE_STRING);
$address = filter_var($_POST['address'], FILTER_SANITIZE_STRING);
$numBrochures = (int) filter_var($_POST['quantity'], FILTER_SANITIZE_NUMBER_INT);
The relevant SQL queries that insert the data are as follows:
if (mysqli_query($conn, "INSERT INTO users(firstName, lastName, email, gender) VALUES('$firstName', '$lastName', '$email', '$gender')") == TRUE) {
logSuccess($file, "Adding user");
}
else {
logError($file, "Adding user", mysqli_error($conn));
}
$userId = $conn->query("SELECT `userId` FROM users WHERE `firstName` = '$firstName' AND `lastName` = '$lastName' AND `email` = '$email'")->fetch_object()->userId;
if ($userId == false) {
logError($file, "Fetching user id", mysqli_error($conn));
}
if (mysqli_query($conn, "INSERT INTO brochureOrders(userId, address, numBrochures, message) VALUES('$userId', '$address', '$numBrochures', '$message')") == TRUE) {
logSuccess($file, "Brochure Order");
$sendConfirmationEmail = true;
}
else {
logError($file, "Brochure Order", mysqli_error($conn));
}
However, in my database, I see entries like the following:
address = "vz8y8E gghwptvvzuak, [url=http://ytvsmximkjnp.com/]ytvsmximkjnp[/url], [link=http://hiabgyvsjifp.com/]hiabgyvsjifp[/link], http://tyvylndqitoy.com/"
Shouldn't the following have taken care of this?
$address = filter_var($_POST['address'], FILTER_SANITIZE_STRING);
Could someone tell me what I am doing incorrectly here?
filter_varwith the 'FILTER_SANITIZE_STRING' filter just strips tags and (optionally) strips or encodes special characters. What were you hoping that it would do?