My sanitizing $_POST[] function also sanitizes Turkish characters

Question

I've found a function on web to sanitize user input data and used it for creating an alternative to $_POST[] method as post() . However, it seems that this function also sanitizes UTF-8 characters such as ç,ş,ö,ı,İ,Ö,ğ, converting them into strings like öl. I don't know which part of the code does that.

Thanks in advance.

Sanitizing function

function post($key) {
    if (isset($_POST[$key])) {
        $data = $_POST[$key];
        if (is_array($data)) {
            foreach ($data as $key => $element) {
                $data[$key] = filter($element);
            }
        } else {
            $data = trim(htmlentities(strip_tags($data)));
            if(get_magic_quotes_gpc())
                $data = stripslashes($data);
            $data = pg_escape_string($data);
        }
    return $data;
    } else {
        return false;
    }
}

Answer 1

Looking at the manual I think you would need to add some additional params to your htmlentities call to let it know you are using UTF-8 encoded strings.

Here is a possible solution, I factored the relevant portion out into a separate function for clarity.

function post($key){
  if (isset($_POST[$key])){
    $post = $_POST[$key];

    if (is_array($post)) {
      $data = array();
      foreach ($post as $key => $element) {
        $data[$key] = filter($element);
      }
    } else {
      $data = formatHtmlEntities($post);
    }

    return $data;
  }

  return false;
}

function formatHtmlEntities($data)
{
  $stripTags = strip_tags($data);
  $entityEncodedData = trim(htmlentities($stripTags, ENT_QUOTES, "UTF-8"));

  if (get_magic_quotes_gpc()) {
    $entityEncodedData = stripslashes($entityEncodedData);
  }

  return pg_escape_string($entityEncodedData);
}

Answer 2

I've found an alternative solution which is to use htmlspecialchars() vs htmlentities() for my case. Reference question: htmlentities() vs. htmlspecialchars()