We haven’t yet introduced the most powerful PHP function for sanitizing data:
filter_var(). This function operates on a variable and passes it through a “filter” that produces the desired outcome.
As its first argument,
filter_var() takes a variable. As its second, it takes an ID representing the type of filtering that should be performed. There are several filters for sanitizing common input types, including
FILTER_SANITIZE_EMAIL. The function will return either the sanitized version of the input or
FALSE if it was unable to perform the sanitization.
$bad_email = '<a href="www.evil-spam.biz">@gmail.com'; echo filter_var($bad_email, FILTER_SANITIZE_EMAIL); // Prints: firstname.lastname@example.org
FILTER_SANITIZE_EMAIL filter trimmed whitespace throughout our input and removed dangerous characters thus preventing any HTML injection. Essentially, it filtered out any characters not allowed in emails. Once sanitized, we can safely display user inputs.
$bad_email did not store a valid email in the first place. But since we often want to display invalid form data as a hint for the user, this sanitization would be useful to prevent a man-in-the middle attack. We could also have used
htmlspecialchars($bad_email), but that would have produced
<a href="www.evil-spam.biz">@gmail.com instead. Choose the sanitization method based on the output you want to show to the users.
You can check out the other sanitization filters available in the PHP manual.
Take a minute to familiarize yourself with the provided code. We declared three variables:
$validation_erroris the inner HTML of our error
$user_answeris assigned to the
valueattribute of the
$submission_responseis included in the inner HTML for the
<p>element after the form.
Right now these variables are all assigned empty strings. Notice how when you submit the form, nothing changes. You’ll be changing that in the next task!
In the PHP section of your code (above the HTML), you’ll be writing code to sanitize a user’s input and then generate an error or message depending on whether or not they got the answer right.
You’ll be reassigning the variables we’ve defined for you (
$submission_response) depending on the user’s submission.
If the form has been submitted (
$_SERVER["REQUEST_METHOD"] === "POST"), you should assign to
$user_answer the value returned from invoking
filter_var() with the user’s input. You’ll also need to pass in a sanitization filter designed to sanitize integers. If the form has not been submitted, you shouldn’t do anything.
Once sanitized, you should check whether or not the answer submitted is correct. If the user’s sanitized answer is
-5, they got the question right! You should assign
$submission_response the string value
If they did not get the correct answer, you should assign
$validation_error the string value of
"* Wrong answer. Try again.".
Everything should be working properly now. You can try it out for yourself to make sure. What happens when you submit incorrect answers? What about the correct answer? What happens when you submit answers with unacceptable characters?
Notice how an input like
<p>-5</p> will get sanitized to
-5 and marked as correct.