mysql_real_escape_string vs my code

[runnerjp]

Ok i have come across this function...

 

function check_input($data)
{
    $data = trim($data);
    $data = stripslashes($data);
    $data = htmlspecialchars($data);
    return $data;
}

 

Would this have any other advantages then mysql_real_escape_string ??

[Wolphie]

It has no advantages OVER mysql_real_escape_string() but it does help, depending on what you're trying to achieve.

 

mysql_real_escape_string() calls MySQL's library function mysql_real_escape_string, which prepends backslashes to the following characters: \x00, \n, \r, \, ', " and \x1a.

 

mysql_real_escape_string() prevents SQL-Injections, however, things such as htmlspecialchars() can help prevent Cross-site scripting.

 

Do you see the difference?

[runnerjp]

so if i did this

 

function check_input($data)
{
    $data = trim($data);
    $data = stripslashes($data);
    $data = htmlspecialchars($data);
    $data = mysql_real_escape_string($data) ;
    return $data;
}

 

would that work to prevent both sql and cross site??

 

mysql_real_escape_string()

[Wolphie]

Yes, but before using stripslashes() you should really check if it's necessary. If magic_quotes_gpc() isn't enabled, then it isn't necessary to use.

[salathe]

Why do you feel the need to call trim, stripslashes and htmlspecialchars on the input?  You seem to be confusing a couple of things, or trying to do everything in one place.  In particular, htmlspecialchars has no place being anywhere near input... why would anyone want to store all input data as HTML-encoded strings? Sure, it can be useful when outputting data (in this case, from the database).

 

Back to the original question, the only advantage would be towards an attacker looking for an easy way into your site.