How can I sanitize a string that receives a hash+random salt?
I can remove the white spaces, check the length and use
mysqli_real_escape_string, but is it sufficient? The
filter_var is really useful but it can’t help in this case, right?
If you are going to put the variable in an SQL query, then you either need to call
mysqli_read_escape_string or (even better!) use prepared statements.
There’s no other sanitization you need to do. However, if the value will be coming from freeform user input (e.g. a text box instead of a drop down menu) then you may also want to trim whitespace and lowercase it as a courtesy to the user (to correct accidental mistakes they might make). It really depends on the application.
Answered By – Jon
Answer Checked By – Marilyn (BugsFixing Volunteer)