0

There seems to be a lot of information about this issue all over the internet with no real clarity on required steps.

I am trying to create a 'catch-all' function to prepare strings prior to storage to DB.

function sanitiseThis($string) {
   $string = trim($string);
   $string = htmlentities($string);
   $string = mysqli_real_escape_string($string);
   return $string;
}

is the trim()/htmlentities() necessary?

Richard Owens
  • 155
  • 16
  • 2
    In short - that entire function is basically superfluous, just use prepared statements with parameterised queries and you're golden. – CD001 Jun 27 '18 at 10:55
  • 2
    To elaborate on wat @CD001 said: you don't necessarily need to clean your strings as long as you use prepared statement and parametrised queries. This way the database won't execute SQL in them. If you use the strings in some output HTML however, things can get messed up (stored XSS). Cleaning things can be very helpful then. Your function looks alright for that, but can be simpler: https://stackoverflow.com/questions/1996122/how-to-prevent-xss-with-html-php – Loek Jun 27 '18 at 10:59
  • 1
    Thanks all. I just need to get my head around this prepare() function. :) – Richard Owens Jun 27 '18 at 11:08
  • 1
    Not sure that this is a duplicate, however there is an *awful* lot wrong with what is being proposed here. Its little better than not bothering escaping at all. – symcbean Jun 27 '18 at 12:27

0 Answers0