Could this function be more secure?

[NorthWestSimulations]

k I have been hacked 3 times before so I am redesigning my website and this time I am taking security Very Seriously, I made a few functions could someone look them over and tell me if there is anything else I could do to make them more secure?

 

<?php
function secure_globals($string, $length){
	$string = trim($string);
	$string = utf8_decode($string);
	$string = htmlentities($string, ENT_NOQUOTES);
	$string = str_replace("#", "&#35", $string);
	$string = str_replace("%", "&#37", $string);
	$string = mysql_real_escape_string($string);
	$string = htmlspecialchars($string);
	$length = intval($length);
		if ($length > 0){
			$string = substr($string, 0, $length);
		}
	return $string;
}
?>

 

and then all variables that the user could possibly edit are stored as (for example):

<?php
$page = secure_globals($_GET['page'], 32);
$action = secure_globals($_GET['action'], 32);
$user = secure_globals($_POST['username'], 16);
$pass = secure_globals($_POST['password'], 32);
?>

 

I know im going a little overboard on this but is there anyway to make it even more secure? Ive never dealt with PHP-Security holes before! 

[The Little Guy]

could you please explain how you got hacked? I may be able to help some more if you do.

[NorthWestSimulations]

Well someone somehow uploaded a file to my server. My server doesnt have a FTP service as it is running on my computer. The file that got uploaded was a php-script that took control of my computer. It started by creating and running a batch file that shut down my netstat, firewall, and windows defender. When I looked at the logs for Xampp it said that someone tryed to access a file called index.php?page= and then a bunch of numbers which I now know was ASCII. Then my Hard Drive J Started to malfunction and started to lose about 1 Gb Every 10-15 Minutes. My computer then stopped being capable of accessing my Hard Drive J and so i turned it off (It was an external Drive) Then I started getting Pop-ups that windows didnt have egnouph memory and then I got the BSOD (Blue Screen Of Death) You know the x86 Processor Error Message. My computer would'nt turn back on and I lost about 15,000 lines of PHP. I re-installed Windows XP And here I am telling you about it about 6 moths from when it happened. Worst part is I didnt get the IP address cause all the files of the logs got deleted when I re-installed windows...

[The Little Guy]

OK, so one thing I would add to this function are some of theses: http://us3.php.net/manual/en/ref.var.php (Check out the "is_..." section)

 

Make sure that the stuff you want to receive is a string, number, float, boolean, etc.

 

Don't accept a int if you wanted a string.

 

Secondly, if this is file upload, make another function like this: http://phpsnips.com/snippet.php?id=2

 

then make an array of "Valid" extentions:

<?php
$acceptable = array('.html','.htm','.jpg','.gif');

if(in_array('.php',$acceptable)){
     return TRUE;
}else{
     return FALSE;
}
?>

 

if you have access to .htacces files, which you should since this is your server, create one and add this:

 

RemoveType .php
AddType application/x-httpd-php-source .php
AddHandler application/x-httpd-php-source .php

 

this will not allow php to run in the directory and its subdirectories that you place the .htaccess file in, it will do this to it: http://tzfiles.com/users/ryan/Hello.php

 

In the function, you could also use the addslashes() function.