A modern, robust approach to handling PHP's loose typing system. The Sanitizer enforces strict data typing, prevents injection attacks, handles multibyte data properly, and protects against overflow vulnerabilities.
✅ Type Enforcement - Prevents illegal data insertion
✅ Multibyte Safe - Proper UTF-8 handling
✅ Injection Protection - Guards against SQL, XSS, path traversal
✅ Overflow Prevention - Blocks delimiter attacks, NaN, infinity
✅ Static API - Clean, modern interface (since v2.0)
use Beamreactor\Sanitizer\Parser;
The Sanitizer is auto-loaded via BeamReactor's PluginAutoloader.
use Beamreactor\Sanitizer\Parser;
// Sanitize user input
$cleanEmail = Parser::sanitize($_POST['email'], 'email');
$cleanAge = Parser::sanitize($_POST['age'], 'int');
$cleanName = Parser::sanitize($_POST['name'], 'string', ['maxLength' => 100]);
// Check if data is valid (returns true/false)
if (Parser::check($userInput, 'uuid')) {
// Valid UUID
} else {
// Invalid format
}
Evaluates mathematical expressions in text fields (e.g., "2+2" → 4).
$result = Parser::sanitize('10 + 5 * 2', 'arithmetic');
// Returns: 20
Integer values only.
$age = Parser::sanitize('25.7', 'int');
// Returns: 25
$negative = Parser::sanitize('-100', 'int');
// Returns: -100
Floating-point numbers.
$price = Parser::sanitize('19.99', 'float');
// Returns: 19.99
$scientific = Parser::sanitize('1.5e3', 'float');
// Returns: 1500.0
General text with sanitization.
$text = Parser::sanitize('<script>alert("xss")</script>', 'string');
// Returns: sanitized string (no HTML)
$limited = Parser::sanitize('Very long text...', 'string', ['maxLength' => 50]);
// Returns: truncated to 50 chars
Human names (letters, spaces, hyphens, apostrophes).
$name = Parser::sanitize("Jean-François O'Brien", 'name');
// Returns: "Jean-François O'Brien"
$invalid = Parser::sanitize("John123", 'name');
// Returns: "John" (numbers stripped)
HTML content (preserves safe tags).
$content = Parser::sanitize('<p>Hello <b>world</b></p>', 'html');
// Returns: allowed tags preserved, dangerous ones stripped
XML-safe content.
$xml = Parser::sanitize('<tag attr="value">Text & symbols</tag>', 'xml');
// Returns: properly escaped XML
Email addresses.
$email = Parser::sanitize(' USER@EXAMPLE.COM ', 'email');
// Returns: "user@example.com" (trimmed, lowercased)
if (Parser::check($email, 'email')) {
// Valid email format
}
URLs and URIs.
$url = Parser::sanitize('https://example.com/path?query=value', 'url');
// Returns: validated URL
$cleaned = Parser::sanitize('javascript:alert(1)', 'url');
// Returns: false (dangerous protocol)
IPv4 and IPv6 addresses.
$ip = Parser::sanitize('192.168.1.1', 'ip');
// Returns: "192.168.1.1"
$ipv6 = Parser::sanitize('2001:0db8::1', 'ip');
// Returns: valid IPv6
File paths (prevents directory traversal).
$path = Parser::sanitize('uploads/file.jpg', 'path');
// Returns: "uploads/file.jpg"
$malicious = Parser::sanitize('../../../etc/passwd', 'path');
// Returns: false (traversal blocked)
Date and datetime values.
$date = Parser::sanitize('2025.12.29', 'date');
// Returns: validated date
$datetime = Parser::sanitize('2025.12.29 14:30:00', 'date');
// Returns: valid datetime
Boolean values.
$bool = Parser::sanitize('true', 'bool');
// Returns: true
$zero = Parser::sanitize('0', 'bool');
// Returns: false
Universally Unique Identifiers (v4).
$uuid = Parser::sanitize('550e8400-e29b-41d4-a716-446655440000', 'uuid');
// Returns: valid UUID
if (Parser::check($input, 'uuid')) {
// Valid UUID format
}
LDAP usernames.
$ldap = Parser::sanitize('john.doe', 'ldapuser');
// Returns: LDAP-safe username
PHP session IDs.
$session = Parser::sanitize($_COOKIE['PHPSESSID'], 'phpsession');
// Returns: validated session ID
Ensures null values.
$null = Parser::sanitize('', 'null');
// Returns: null
$nonNull = Parser::sanitize('value', 'null');
// Returns: false
Validates UTF-8 encoding.
$text = Parser::sanitize($input, 'encoding');
// Returns: UTF-8 validated text
Pass-through type (for custom validation).
$raw = Parser::sanitize($data, 'dummy');
// Returns: data as-is (no sanitization)
Most datatypes accept an options array as the third parameter:
Parser::sanitize($input, $type, $options);
Common options:
maxLength - Maximum string lengthminLength - Minimum string lengthallowedChars - Whitelist of charactersencoding - Character encoding (default: UTF-8)Examples:
// Limit string length
$username = Parser::sanitize($input, 'string', ['maxLength' => 50]);
// Minimum length enforcement
$password = Parser::sanitize($input, 'string', ['minLength' => 8]);
// Custom character whitelist
$code = Parser::sanitize($input, 'string', ['allowedChars' => 'A-Z0-9']);
Pass an empty array to sanitize without encoding:
// Sanitize but don't HTML-encode
$text = Parser::sanitize($message, 'string', []);
// ALWAYS sanitize user input
$userId = Parser::sanitize($_GET['id'], 'int');
$email = Parser::sanitize($_POST['email'], 'email');
$file = Parser::sanitize($_FILES['upload']['name'], 'path');
// Use with BeamReactor SQL class
use Beamreactor\Database\SQL;
$name = Parser::sanitize($_POST['name'], 'string', ['maxLength' => 100]);
$age = Parser::sanitize($_POST['age'], 'int');
SQL::query(
"INSERT INTO users (name, age) VALUES (?, ?)",
[$name, $age],
['string', 'int']
);
// User-generated content
$comment = Parser::sanitize($_POST['comment'], 'html');
// Display safely
echo $comment; // Dangerous tags stripped
// File uploads
$filename = Parser::sanitize($_FILES['file']['name'], 'path');
if ($filename) {
move_uploaded_file($_FILES['file']['tmp_name'], 'uploads/' . $filename);
}
Both sanitize() and check() return false on validation failure:
$result = Parser::sanitize($input, 'email');
if ($result === false) {
// Invalid email format
throw new Exception('Invalid email address');
}
Type-safe checking:
if (!Parser::check($_POST['uuid'], 'uuid')) {
http_response_code(400);
die('Invalid UUID format');
}
Old (instance-based):
$parser = new Sanitizer\Parser();
$clean = $parser->sanitize($data, 'string');
New (static):
use Beamreactor\Sanitizer\Parser;
$clean = Parser::sanitize($data, 'string');
Int not int)Author: Treveur Bretaudière
Organization: BeamReactor
License: Proprietary (BeamReactor CMS)
Version: 2.1.0 (Static API)
