0

Would this function save my app from most of incorrect input? User input should be text only with numbers.

function sanitize($data){
    $data = strip_tags($data);
    $data = htmlspecialchars($data,ENT_QUOTES);
    $data = filter_var($data,FILTER_SANITIZE_STRING);
    $data = filter_var($data,FILTER_SANITIZE_STRING,FILTER_FLAG_STRIP_LOW);
    return $data;           
}

P.S. Any additional info required?

DaveRandom
  • 87,921
  • 11
  • 154
  • 174
Jevgeni Smirnov
  • 3,787
  • 5
  • 33
  • 50
  • 1
    As you have tagged this question with "sql-injection" you should use an appropriate function based on your DB-connection; e.g. mysql_real_escape_string or use an prepared statement. If you only want to leave alphanumeric characters you probably could use an regex to strip any other chars. – feeela Apr 25 '12 at 11:00
  • 1
    possible duplicate of [The ultimate clean/secure function](http://stackoverflow.com/questions/4223980/the-ultimate-clean-secure-function) – Your Common Sense Apr 25 '12 at 11:05

1 Answers1

3

There is no such thing as "just sanitising" data. You have to sanitise data appropriately for a particular use case, whether that be sending to a database, using as a filename, echoing out to the user, whatever. Your attempt to sanitise data, full stop, is doomed to failure because there is no such thing as sanitising data, full stop. It does not even make sense. The notion of "sanitising" data only makes sense when paired with a context for which you want the data to be sanitised.

In particular, if you intend to sanitise data for entry into a database (not clear - your question makes no particular reference to a database but it has the "sql-injection" tag), then you most likely need information about the database connection that you are using in order to do it correctly.

Hammerite
  • 21,755
  • 6
  • 70
  • 91