Home/ Questions/Q 8067219
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-05T12:13:16+00:00

Possible Duplicate: The ultimate clean/secure function After reading up on PHP security I have

  • 0

Possible Duplicate:
The ultimate clean/secure function

After reading up on PHP security I have the feeling that anything I code is always insecure. So to combat the security issues of user input I have created a function that allows me to escape and strip user input for any usage situation.

I would just like to know if this is in fact secure and if I could make it more secure. Also what kind of attacks would this prevent? From what I can tell XSS by using _GET, HTML input and MYSQL injection would have been prevented?

function _INPUT($name,$tag,$sql,$url)
{
if ($_SERVER['REQUEST_METHOD'] == 'GET')
    $filter = ($_GET[$name]);//Assign GET to filter variable

    if ($tag == true)//Remove all HTML, PHP and JAVASCRIPT tags
    {
        $filter = strip_tags($filter);
    }
    if ($sql == true)//If MYSQL escaping is enabled
    {
        $filter = mysql_real_escape_string($filter);
    }
    if ($url == true)//If URL encoding is enabled
    {
        $filter = urlencode($filter);
    }
    return $filter;     

}

$output = _INPUT('name',true,true,true);

I will be using prepared statements for MYSQL too, although I need to read up on them more to fully understand how it prevents injection.

Thank you for your time.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Once again, there is no universal escape function that just magically makes things “secure”.

    See this: https://stackoverflow.com/a/7810880/362536

    Different escape methods are used for different things. You can’t just run a bunch of data through a bunch of functions that are supposed to be used in specific contexts. You are creating garbage data, and are no more secure than you were with the raw user data in the first place.

    • 0