Reputation: 3797
Would this sanitize function save from most of attacks?
Would this function save my app from most of incorrect input? User input should be text only with numbers.
function sanitize($data){
$data = strip_tags($data);
$data = htmlspecialchars($data,ENT_QUOTES);
$data = filter_var($data,FILTER_SANITIZE_STRING);
$data = filter_var($data,FILTER_SANITIZE_STRING,FILTER_FLAG_STRIP_LOW);
return $data;
}
P.S. Any additional info required?
Upvotes: 0
Views: 191
Answers (1)
Reputation: 22340
There is no such thing as "just sanitising" data. You have to sanitise data appropriately for a particular use case, whether that be sending to a database, using as a filename, echoing out to the user, whatever. Your attempt to sanitise data, full stop, is doomed to failure because there is no such thing as sanitising data, full stop. It does not even make sense. The notion of "sanitising" data only makes sense when paired with a context for which you want the data to be sanitised.
In particular, if you intend to sanitise data for entry into a database (not clear - your question makes no particular reference to a database but it has the "sql-injection" tag), then you most likely need information about the database connection that you are using in order to do it correctly.
Upvotes: 3
Related Questions
- The ultimate clean/secure function
- Is FILTER_SANITIZE_STRING enough to avoid SQL injection and XSS attacks?
- PHP input sanitizer function?
- A better SQL string sanitization function
- creating a sanitizing function
- Sanitizing user input, is it safe?
- security preference in php, php functions to sanitize input
- Is this function pair suitable sanitization?
- Is this a safe/strong input sanitization function?
- Are these two functions overkill for sanitization?