Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Constant FILTER_SANITIZE_STRING is deprecated

Tags:

php

filter

sanitization

php-8.1

I have installed PHP 8.1 and I started testing my old project. I have used the filter FILTER_SANITIZE_STRING like so:

$username = filter_input(INPUT_POST, 'username', FILTER_SANITIZE_STRING);

Now I get this error:

Deprecated: Constant FILTER_SANITIZE_STRING is deprecated

The same happens when I use FILTER_SANITIZE_STRIPPED:

Deprecated: Constant FILTER_SANITIZE_STRIPPED is deprecated

What can I replace it with?

like image 256
Dharman Avatar asked Sep 16 '21 11:09

Dharman

Video Answer

3 Answers

This filter had an unclear purpose. It's difficult to say what exactly it was meant to accomplish or when it should be used. It was also confused with the default string filter, due to its name, when in reality the default string filter is called FILTER_UNSAFE_RAW. The PHP community decided that the usage of this filter should not be supported anymore.

The behaviour of this filter was very unintuitive. It removed everything between < and the end of the string or until the next >. It also removed all NUL bytes. Finally, it encoded ' and " into their HTML entities.

If you want to replace it, you have a couple of options:

  1. Use the default string filter FILTER_UNSAFE_RAW that doesn't do any filtering. This should be used if you had no idea about the behaviour of FILTER_SANITIZE_STRING and you just want to use a default filter that will give you the string value.

  2. If you used this filter to protect against XSS vulnerabilities, then replace its usage with htmlspecialchars(). Don't call this function on the input data. To protect against XSS you need to encode the output!

  3. If you knew exactly what that filter does and you want to create a polyfill, you can do that easily with regex.

    function filter_string_polyfill(string $string): string
{
    $str = preg_replace('/\x00|<[^>]*>?/', '', $string);
    return str_replace(["'", '"'], ['&#39;', '&#34;'], $str);
}

Don’t try to sanitize input. Escape output.

like image 166
Dharman Avatar answered Nov 06 '22 09:11

Dharman

The closest constant you can use instead, if you intend to convert your variable in a safe html string, is FILTER_SANITIZE_FULL_SPECIAL_CHARS

like image 30
Chouettou Avatar answered Nov 06 '22 10:11

Chouettou

From documentation you should replace it with htmlspecialchars().

FILTER_SANITIZE_STRING

Strip tags and HTML-encode double and single quotes, optionally strip or encode special characters. Encoding quotes can be disabled by setting FILTER_FLAG_NO_ENCODE_QUOTES. (Deprecated as of PHP 8.1.0, use htmlspecialchars() instead.)

FILTER_SANITIZE_STRIPPED

Alias of "string" filter. (Deprecated as of PHP 8.1.0, use htmlspecialchars() instead.)

like image 21
francisco Avatar answered Nov 06 '22 10:11

francisco
Sign in to Comment

Related questions

I can't deploy production mode : Command returned non-zero exit code (magento 2.1)
What is the difference between the nd_pdo_mysql and pdo_mysql extensions?
Laravel 5.5 ThrottleRequest middleware
LexikJWTAuthenticationBundle - There is no extension able to load the configuration for "api_login_check"
After validation hook in validation request
How to add Media Selector to add_settings_field in WordPress?
How to switch between PHP 5.6 / 7.2 on Cloud9?
Calculate the exact margin from sales orders and purchase orders
composer : is there a way to specify a preference order for package repositories?
Set next month payment date (with PHP Carbon)
How to remove more video from youtube embed?
how to access the current index in array_reduce?
Is There a Way to Import PHP Classes into a Blade Template and Use Them in Child Templates?
How to combine laravel and vue routes
Symfony 4 softdelete with Doctrine ORM
How to add new row on Excel using PHPSpreadsheet
"Allocation of JIT memory failed, PCRE JIT will be disabled" warning in PHP 7
VS Code PHP Formatter Intelephense
PHPExcel Error: Array and string offset access syntax with curly braces is deprecated
Update Laravel Version to 8.0 From 7.x

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!