mahen23 mahen23 - 1 year ago 156
PHP Question

A better SQL string sanitization function

I am currently using below function to sanitize my $_POST and $_GET against SQL injection. Unfortunately, I cannot post code through it, for example: "

<a href test
". How does Twitter do it?

function _secinput($variable)
{return filter_var(mysql_real_escape_string($variable), FILTER_SANITIZE_STRING); }


Plus, can anyone tell suggest me if I can improve it in any ways?

Answer Source

There can never and will never be one function to sanitize everything. You must choose the right tool for the job.

1) htmlspecialchars($var,ENT_QUOTES) works well for most xss.

2) Parametrized query libraries like PDO and MySQLi work best for sql injection.

3) For CRLF injection, just remove new lines: str_replace("\n","",$var)

4) For Command injection use escapeshellarg()

And there are many other forms of injection.