Using PHP functions to filter input, is this okay to do?

[sourcy]

public function checkUser($username, $email, $emailConfirm)
{
   if (!$this->_dataCheck->checkEmail($email, $emailConfirm))
   {
       return "Emails do not match, or the email is invalid";
   }
   if (!ctype_alnum($username))
   {
       return "Username must only contain numbers and letters";
   }

   $this->_db->query("SELECT username, email FROM users WHERE username='$username' OR email='$email'");

   if ($this->_db->numRows() != 0)
   {
       return "Username or email is already in use, please try again";
   }
   return "success"; //this is where i will add them to the table "users" if they do not already exist and passed all my other checks
}

 

 

 

And here is my check email function

 

public function checkEmail($email1, $email2)
{
   if ($email1 == $email2 && filter_var($email1, FILTER_VALIDATE_EMAIL))
   {
       return TRUE;
   }
   else
   {
       return FALSE;
   }
}

 

 

 

 

Basically my question is simple, is there any risk to checking for the input to be alpha numeric and a valid email using PHP's built in functions? so as to avoid sql injections and XSS? Never done it like this before, but I'm re-coding a site from scratch and I feel like this would work better.

 

Anyone see any problems?

[Christian F.]

There's nothing wrong with using the PHP filter functions like you have. In fact, that's how you're meant to use them, and what they were made for: Input validation.

 

However, they do not (specifically) protect against SQL injections or HTML injection (XSS etc) attacks. Input validation is not a substitute for proper output escaping, nor is the opposite true. They both should be used, as they work in conjunction with each other.

Add $db->real_escape_string () around those variables, when you insert them into the query, and htmlspecialchars () around all of the (user-generated) content you echo out. With that and the above input validation you'll be good.