From the book:
For MySQL security, you can use sprintf() to force user input to have a maximum length and be valid for the structure of your database. Use the precision specifier to automatically parse the string submitted by GET or POST.
From the book:
For MySQL security, you can use sprintf() to force user input to have a maximum length and be valid for the structure of your database. Use the precision specifier to automatically parse the string submitted by GET or POST.
sprintf(formatting, inputs [, …inputs…]
Accepts multiple inputs to be used when specified in formatting
formatting – $string, specific formatting string, explained below
inputs – $scalar(s) to be formatted
Returns a formatted string formatting, using the inputs to dynamically input their values into the formatted string using a preset set of rules, specified below.
The following is the available nomenclature for the formatting input.
Every time an input is expected to be used and evaluated as part of the formatted string, it is preceded by a percent sign ( % ), followed by the specifiers/rules:
Note: All specifiers, excluding the type specifier, are optional.
A sign specifier. Placing a plus sign ( + ) forces negative AND positive signs to be visible (only negative values are specified by default).
A padding specifier. The default is a space, and does not need to be specified. A zero ( 0 ) can be used as well without any secondary notation. If any other character is to be used, it should be preceded with a single quote ( ‘ ).
An alignment specifier. The default is right-justified (thus padding is placed on the left of the string). Placing a dash/subtract ( – ) will set it to left-justified.
A width specifier. This integer determines the minimum length in characters the output should be. When combined with padding, the specified width minus the input’s length determines the number of padded characters that will be added.
A precision specifier. A period ( . ) followed by an integer, sets the number of decimal places that should be output for a float. If used on a string, it sets a maximum character limit for the output.
A type specifier:
% – a literal percent sign, thus would be written %% to display a percent sign in the formatting string
b – the input should be an integer, a binary number is the output.
c – the input should be an integer between 0-255, representing the ASCII byte-value. The character represented is output.
d – the input should be an integer.
e – the input is scientific notation.
u – the input is an unsigned decimal number.
f – the input is a float (locale aware).
F – the input is a float (not locale aware).
o – the input is an integer, an octal number is the output.
s – the input is a string.
x – the input is an integer, a hexadecimal number is the output (with lowercase letters).
X – the input is an integer, a hexadecimal number is the output (with uppercase letters).
Examples:
Basic substitution, no optional specifiers
$string = ‘cat’;
$integer = 10;
echo sprintf(“I have %d %s(s)”, $integer, $string);
I have 10 cat(s)
Basic substitution, type specification automatic adjustments
$string = ‘cat’;
$string2 = ’10 blah’;
echo sprintf(“I have %d %s(s)”, $string2, $string);
I have 10 cat(s)
Using the sign specifier
$string = ‘cat’;
$integer = ’10’;
echo sprintf(“Dagger has a %+d against %ss”, $integer, $string);
Dagger has a +10 against cats
Using padding and width specifiers (default padding specifier of a space)
$string = ‘cat’; // length, 3 characters
echo ‘’; // HTML Required to display the formating properly
echo sprintf(“3 spaces added: |%6s”, $string);
// Used padding of 6 characters, 6 – 3 = 3 spaces padded
Pad from line 3 spaces: | cat
Using padding and width using a zero ( 0 ) for padding
$month = 12;
$day = 1;
$year = 1980;
echo sprintf (” Date: %02d/%02d/%04d.”, $month, $day, $year);
$year = 80;
echo sprintf (” Date: %02d/%02d/%04d.”, $month, $day, $year);
Date: 12/01/1980. Date: 12/01/0080.
Using padding and width using a custom character, the asterisk ( * )
$endofpassword = ‘word’;
$output = sprintf(“Your password: %’*8s”, $endofpassword);
echo $output;
Your password: ****word
Using padding, alignment (left), and width
$endofpassword = ‘word’;
$output = sprintf(“Your password: %’*-8s”, $endofpassword);
echo $output;
Your password: word****
Using the precision specifier
$scientific = 1.2e3;
echo sprintf(“Three decimal places: %.3e”, $scientific);
Three decimal places: 1.200e+3
$float = 1.2e3;
echo sprintf(“Two decimal places: %.2f”, $float);
Two decimal places: 1200.00
$string = ‘Hello World!’;
echo sprintf(“Cut-off after 4 characters: %.4s”, $string);
Cut-off after 4 characters: Hell
See Also:
printf() – prints a formatted string results rather than simply returning them
sscanf() – Parses a string through a formatted string, reverse of sprintf()