function for cleaning input data.

[fantomel]

I needed a function for cleaning input data.. and i`m not the best at php security just started to learn about it so i need some advices corrections.

function cleanInput($string){
        return nl2br(htmlspecialchars(strip_tags(trim(urldecode($string)))));
    }

Should i add anything else to this function?

on each insert in mysql i add mysql_real_escape_string.

[marcus]

mysql_real_escape_string should be all you need for input, but for output you could use those.

[ChemicalBliss]

You shouldnt really find every function you can and stuff it into a sanitization function,

 

Mysql injection is really easy to protect against:

$name = mysql_real_escape_string($name);

 

For Form Data, you have to worry about Javascript injection (XSS Attacks) (So you dont display maliscious javascript someone put as their name etc).

$santized = htmlentities($input);

 

Also, Form data should be specifically santized (like an email address, and a name must only contain alphabets etc).

if(!preg_match("/^[a-z ]+$/i",$name)){
   echo("Name can only contain Alphabet characters and Spaces");
}

 

Hope this helps,

-cb-

[KevinM1]

Here you go:

 

<?php
function clean($value)
{
	if (is_array($value))
	{
		foreach($value as $k => $v)
		{
			$value[$k] = clean($v);
		}
	}
	else
	{
		if(get_magic_quotes_gpc() == 1)
		{
			$value = stripslashes($value);
		}

		$value = trim(htmlspecialchars($value, ENT_QUOTES, "utf-8")); //convert input into friendly characters to stop XSS
		$value = mysql_real_escape_string($value);
	}
   
	return $value;
}
?>

[fantomel]

I've read so many tutorials about php security on forms .. and stuff like that . that i think in the end i got lost.

thank you everyone for your response.

@ChemicalBliss i always do a preg_match on fields from forms according to what they have to do. a-zA-Z or only numbers.. depends:D

again thank you everyone for your responses.