safe input from user. is this function ok?

Question

hi i just reinstalled all my server for a virus. in my php o ckeck string from users with this function:

function make_safe($variable)
{
    $variable=nl2br($variable);
    $variable=mysql_real_escape_string(trim(strip_tags($variable, '<span><p><b><strong><i><u><br><hr><a><img>')));
    return $variable;
}

is this function safe enuoght? should i have to change something... any problems with images that i link form external websites?

Id say its kinda safe. But you should think about using mysqli instead of mysql. because mysql is too old. — Modestas Stankevičius, Jun 05 '13 at 12:42
safe in what context actually? If you use that in combination with mysql functions, you should consider switching to prepared statements (PDO/MySqli) — , Jun 05 '13 at 12:43
Also, you ought to read the warning regarding strip_tags: "This function does not modify any attributes on the tags that you allow using allowable_tags, including the style and onmouseover attributes that a mischievous user may abuse when posting text that will be shown to other users." http://php.net/manual/en/function.strip-tags.php — PleaseStand, Jun 05 '13 at 13:07

score 0 · Answer 1 · answered Jun 05 '13 at 12:42

0

I don't see how an image you don't download on your serveur could possibly damage it. It seems safe to me.

If you still need to check for a faulty code, that's probably somewhere else ;)

answered Jun 05 '13 at 12:42

captain_torche

1

safe input from user. is this function ok?

1 Answers1