If you’re working with forms in CodeIgniter and processing user inputs via the $_POST array, you might have come across the following error message:
Error Message:
PHP Error was encountered
Severity: Warning
Message: strip_tags() expects parameter 1 to be string, array given
Filename: inscription/loginform3.php
Line Number: 19
This error occurs when the strip_tags() function is expecting a string, but an array is passed instead. In this article, I will break down the issue, explain the solution, and demonstrate how you can add additional functionality to your code to prevent similar errors in the future.
The Original Code:
The code that triggered this error is as follows:
form_open_multipart('user/register_step_3');
// Loop through the POST variables passed from the previous page
foreach ($_POST as $key => $value){
$value = htmlentities(stripslashes(strip_tags($value)));
echo form_hidden($key, $value);
}
Explanation of the Error:
The error arises when the strip_tags() function receives an array instead of a string. Let’s break down what happens step by step.
strip_tags($value): This function removes any HTML and PHP tags from a string. It’s used to sanitize input and ensure that no HTML or PHP code is executed.stripslashes($value): This function removes backslashes from a string. It’s commonly used to clean escaped characters (e.g., removing the backslashes added during user input).htmlentities($value): This function converts special characters to HTML entities. This prevents cross-site scripting (XSS) attacks by ensuring that characters like<and>are displayed as their HTML entities (<and>).
Why the Error Happens:
The error message states that strip_tags() expects a string, but instead it’s receiving an array. This can happen when one or more form fields (e.g., a multi-checkbox or multiple select field) contain multiple values, turning the $_POST entry into an array instead of a single string.
For example, if a form contains a multi-checkbox field like this:
<input type="checkbox" name="preferences[]" value="Option 1"> Option 1
<input type="checkbox" name="preferences[]" value="Option 2"> Option 2
The resulting $_POST['preferences'] would be an array with values like ['Option 1', 'Option 2'].
When strip_tags() tries to sanitize an array, it throws the error because the function can only process strings.
The Solution:
To fix this error, we need to check if the value being processed is an array. If it is, we need to sanitize each element in the array individually. Here’s the modified code:
form_open_multipart('user/register_step_3');
// Loop through the POST variables passed from the previous page
foreach ($_POST as $key => $value){
// Check if $value is an array
if (is_array($value)) {
// If it's an array, sanitize each element
$value = array_map(function($item) {
return htmlentities(stripslashes(strip_tags($item)));
}, $value);
} else {
// If it's a string, sanitize the value
$value = htmlentities(stripslashes(strip_tags($value)));
}
// Output the sanitized value
echo form_hidden($key, $value);
}
Explanation of the Fix:
is_array($value): This check ensures that we only apply the sanitization functions (strip_tags(),stripslashes(),htmlentities()) to string values. If$valueis an array, we usearray_map()to loop through each element and apply the sanitization functions to each item in the array.array_map(): This function applies a given callback to each element of the array. In this case, it sanitizes each array element individually by applying the same functions (htmlentities(),stripslashes(),strip_tags()).
Additional Practice Functionality:
Now that the error is fixed, it’s a good idea to add some additional validation and error handling to make your code even more robust.
Validating Input Types:
It’s essential to ensure that each form field has the correct data type and isn’t empty. Here’s how you can add basic validation for each input:
($_POST as $key => $value) {
if (is_array($value)) {
// Sanitize each element in the array
$value = array_map(function($item) {
return htmlentities(stripslashes(strip_tags($item)));
}, $value);
} else {
// Sanitize the string value
$value = htmlentities(stripslashes(strip_tags($value)));
}
// Validate that the value is not empty
if (!empty($value)) {
echo form_hidden($key, $value);
} else {
// Handle empty value case (e.g., set a default or show an error)
echo form_hidden($key, "default_value");
}
}
Additional Error Handling:
Let’s add extra error handling to ensure that each field contains valid data and handle cases where fields are missing or have invalid characters:
($_POST as $key => $value) {
if (is_array($value)) {
$value = array_map(function($item) {
if (!is_string($item)) {
// Log error or handle the non-string value
return '';
}
return htmlentities(stripslashes(strip_tags($item)));
}, $value);
} else {
if (!is_string($value)) {
// Handle invalid string input
$value = '';
} else {
$value = htmlentities(stripslashes(strip_tags($value)));
}
}
// Add error handling for empty or invalid input
if (empty($value)) {
// Log error or show a message
echo "Error: Missing or invalid input for field '$key'.";
} else {
echo form_hidden($key, $value);
}
}
Final Thoughts:
The error you encountered, where strip_tags() expects a string but gets an array, is common when dealing with form inputs that may contain multiple values. By checking whether the value is an array and sanitizing each element in the array, you can ensure that your code handles different input types correctly.