Security in PHP [Two functions I made]

[SyLon]

Hello everyone!

After reading some php security articles, I've created 2 function to prevent sql injection and display html tags correctly.

The first one is for user input formatting:

 

function _INPUT($name)
{
    if ($_SERVER['REQUEST_METHOD'] == 'GET')
        return mysql_real_escape_string(strip_tags($_GET[$name]));
    if ($_SERVER['REQUEST_METHOD'] == 'POST')
        return mysql_real_escape_string(strip_tags($_POST[$name]));
}

 

The second one is for output:

 

function _STR($string) {

return nl2br(htmlspecialchars(stripcslashes($string)));

}

 

What do you think about those two function? Will they provide the maximum security for my websites?

Thanks, Leon.

 

[SyLon]

Anyone??  :'( :'( :'(

Thanks.

[Aureole]

For user input I just use htmlentities($var, ENT_QUOTES); I think that's one of the best things you can do... if all their " get turned into " etc. then they can't really do anything, can they? Anyone feel free to correct me however if I'm wrong.

[SyLon]

So it would look like this?

function _INPUT($name)
{
    if ($_SERVER['REQUEST_METHOD'] == 'GET')
        //return mysql_real_escape_string(strip_tags($_GET[$name]));
        return mysql_real_escape_string(htmlentities($_GET[$name], ENT_QUOTES));
    if ($_SERVER['REQUEST_METHOD'] == 'POST')
        //return mysql_real_escape_string(strip_tags($_POST[$name]));
        return mysql_real_escape_string(htmlentities($_POST[$name], ENT_QUOTES));
}

Also, what do you think about the _STR function?

Thanks, Leon.