a function PHP to prevent SQL injection and xss

Question

I want a function to prevent SQL injection and xss atacks using php like

function name($inp){
  return sql(xss($inp));
}

Thanks

prepared statements going in(sql injection), htmlspecialchars going out(xss protection). — Steve, Aug 12 '16 at 13:05
Not a good StackOverflow question: http://stackoverflow.com/help/how-to-ask . Please rephrase and show your own attempt. Voting to close. — BeetleJuice, Aug 12 '16 at 13:07

score 0 · Answer 1 · answered Aug 12 '16 at 13:07

No function is needed simply use PDO is enough here. Here is a quick article explaining how PDO prevents SQL injection

http://mstd.eu/index.php/2016/07/05/how-can-i-prevent-sql-injection-in-php/

So the PDO extension and prepared statements, whats the deal with SQL-Injection? The idea is your query is prepared with placeholders and then those placeholders are used to inject sanitized data into the query just before its sent to the database server. The great thing about this as the programmer is you don’t have to do anything extra the prepared statement does all the formatting for you before passing user input to the database.

Everything you need in terms of using PDO can be found in the PHP docs here:

http://php.net/manual/en/book.pdo.php

XSS attacks are prevented by escaping output not input take a look at the function htmlspecialchars

http://php.net/manual/en/function.htmlspecialchars.php

a function PHP to prevent SQL injection and xss

1 Answers1