Home/ Questions/Q 525549
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-13T08:41:00+00:00

This was taken from O’Reilly’s Learn PHP, MySQL, and Javascript : function sanitizeString($var) {

  • 0

This was taken from O’Reilly’s Learn PHP, MySQL, and Javascript:

function sanitizeString($var)
{
    $var = stripslashes($var);
    $var = htmlentities($var);
    $var = strip_tags($var);
    return $var;
}

function sanitizeMySQL($var)
{
    $var = sanitizeString($var);
    $var = mysql_real_escape_string($var);
    return $var;
}

Is this all one needs for handling POST and GET data? Given the source, I fear this has been dumbed down for beginners and I’m leaving myself vulnerable to attack later on.

Thank you.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    It’s not possible to generally and indiscriminately “sanitize” incoming data. It always depends on what you want to do with it.

    The sanitizeString() method is suitable to clean up content that you can’t trust (e.g. from an unsecured form) that is to be displayed within the HTML output of your page. Nothing else. It will remove information such as tags, and it will modify special characters.

    The sanitizeMySQL() method will do that, plus make it safe to use in a mySQL Query. Again, this is useful only if you want to strip down user input e.g. for a guest book or a shoutbox. If you had a CMS with authorized users, you would not want to do this.

    Under no circumstances always apply this to all incoming variables. If you have an order form for example, that is forwarded to you through E-Mail, htmlspecialchars() would convert all special characters into entities – that are displayed literally (like ") in a text-only E-Mail. You wouldn’t want to do that.

    For a general overview on what sanitation to use where I think this is a good answer. Additionally, if you are going to send E-Mail based on incoming data, check out Mail injections.

    • 0