Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
This is the sanitization function used in a book I recently learned from – Sams Teach Yourself Ajax, JavaScript, and PHP All in One.
I’ve been using it on my own PHP site. Is it safe for real-world usage?
function sanitizestring($var)
{
$var = strip_tags($var);
$var = htmlentities($var);
$var = stripslashes($var);
return mysql_real_escape_string($var);
}
I would say that is too general. It may be safe for a lot of uses, but it would often give unwanted side affects to strings. Not every string should be escaped like that.
mysql_real_escape_string()should be used within SQL queries only. Better still, bind params with PDO.htmlspecialchars()is more of your friend. Give it the character set as an argument.So I would use
mysql_real_escape_string()for queries, andhtmlspecialchars()for echoing user submitted strings. There is also a lot more to know. Do some further reading.