Using a single method to clean data

Asked Sep 08 '13 at 23:41

Active Sep 08 '13 at 23:41

Viewed 765 times

Since security is always something that is a concern, is it fine to just use the following method whenever I need to clean data that I don't know is safe?

function clean_data($input) {
  return mysqli_real_escape_string($cxn, htmlspecialchars(strip_tags(trim($input))));
}

Or is something that I shouldn't do?

asked Sep 08 '13 at 23:41

John

7

Just use prepared statements / parameterized queries with mysqli or pdo and you wont have to worry about escaping data for db queries. – JimL Sep 08 '13 at 23:42
What have `strip_tags` and `htmlspecialchars` to do with DB? – raina77ow Sep 08 '13 at 23:43
http://stackoverflow.com/a/130323/285587 – Your Common Sense Sep 08 '13 at 23:43
2

What you have is useless at best and potentionally dangerous. – PeeHaa Sep 08 '13 at 23:43
1

There is no "Catch All" solution to sanitizing DB input. It needs to be specific to the type of input you expect to receive. – Ohgodwhy Sep 08 '13 at 23:44
1

@Ohgodwhy: my suggestion is a catch all solution ;) – JimL Sep 08 '13 at 23:45
@JimL, I was planning on using this to clean URL parameters like `file.php?title=VALUEHERE`, not for queries. – John Sep 08 '13 at 23:46
@John: then htmlspecialchars should do, or (int) $var / (float) $var if they're numbers. – JimL Sep 08 '13 at 23:48
It just doesn't work like that. Like that in your case is: putting a condom on your car, adding a parachute, adding a bumper and putting a helmet on the roof. – PeeHaa Sep 08 '13 at 23:51
@John. 1. Your question is tagged with mysql and mysqli. 2. You are doing mysqli_real_escape_string. And now you says it is not for the query? – Your Common Sense Sep 09 '13 at 00:01

Using a single method to clean data

0 Answers0