Home/ Questions/Q 6646643
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-26T00:26:28+00:00

I’m using following function to protect my db from injection attacks and etc. for

  • 0

I’m using following function to protect my db from injection attacks and etc. for gets.

function filter($data) {
    global $db;
    $data = trim(htmlentities(strip_tags($data)));
    if (get_magic_quotes_gpc())
        $data = stripslashes($data);

    $data = $db->real_escape_string($data);

    return $data;
}

foreach($_GET as $key => $value) {
    $data[$key] = filter($value);
}

Question is, i want to filter not only $_GET but $_POST too. How to do that?

And can I reassign value to $_GET or $_POST after filtering? I mean $_GET[$key] = filter($value); instead of $data[$key] = filter($value);..

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Don’t pre-escape your variables, escape them only at the time you need to escape them.

    • If you prematurely escape your variable, you’ll never know which variable is escaped, and which is not
    • You’ll have to unescape your variables before doing string manipulations, and re-escape them after
    • Variables coming from different sources (like from an API, from a file or even from your database) won’t be escaped. You’ll forget to escape them.
    • You’ll have to un-escape all your variables before printing them (you don’t want to print the \’, I guess)
    • You can’t escape a variable for every possible situation. What about escaping them with escapeshellcmd too ?

    PHP did this in the past. It was called magic_quotes_gpc.

    But it’s so bad practice that it’s now deprecated, and it will be removed from the next version of PHP.

    It’s better to just escape everything at the time you need to. You print a variable ? escape it. You don’t have to remember if it’s already escaped or not: it’s not.

    • 0