Encoding and Escaping Strategies

2 min read Application Security

Encoding and Escaping Strategies

When validation alone isn't sufficient, proper encoding prevents injection:

class SafeEncoder {
    // HTML encoding for output
    public static function htmlEncode($input) {
        return htmlspecialchars($input, ENT_QUOTES | ENT_HTML5, 'UTF-8');
    }
    
    // JavaScript encoding for dynamic content
    public static function jsEncode($input) {
        $escaped = json_encode($input, JSON_HEX_QUOT | JSON_HEX_TAG | JSON_HEX_AMP | JSON_HEX_APOS);
        return substr($escaped, 1, -1); // Remove quotes added by json_encode
    }
    
    // URL encoding for parameters
    public static function urlEncode($input) {
        return rawurlencode($input);
    }
    
    // SQL identifier escaping (when parameterization isn't possible)
    public static function escapeIdentifier($identifier, $allowedChars = 'a-zA-Z0-9_') {
        // Only allow whitelisted characters
        if (!preg_match("/^[$allowedChars]+$/", $identifier)) {
            throw new InvalidArgumentException("Invalid identifier format");
        }
        
        // Additional length check
        if (strlen($identifier) > 64) {
            throw new InvalidArgumentException("Identifier too long");
        }
        
        // Quote identifier for MySQL
        return '`' . str_replace('`', '``', $identifier) . '`';
    }
    
    // Safe filename generation
    public static function sanitizeFilename($filename) {
        // Remove path traversal attempts
        $filename = basename($filename);
        
        // Replace dangerous characters
        $filename = preg_replace('/[^a-zA-Z0-9._-]/', '_', $filename);
        
        // Ensure it doesn't start with a dot (hidden file)
        $filename = ltrim($filename, '.');
        
        // Limit length
        if (strlen($filename) > 255) {
            $extension = pathinfo($filename, PATHINFO_EXTENSION);
            $name = pathinfo($filename, PATHINFO_FILENAME);
            $name = substr($name, 0, 250 - strlen($extension));
            $filename = $name . '.' . $extension;
        }
        
        return $filename ?: 'unnamed';
    }
}

Input validation must be applied consistently at all application entry points. Remember that client-side validation improves user experience but provides no security—all validation must be repeated server-side. Combine validation with parameterized queries, proper encoding, and other security measures for comprehensive protection against SQL injection.