0

I'm trying to make an easy way to clean all input data from forms. Does this code make sense? And is it safe?

    public function filter( $data )
    {
        if( !is_array( $data ) )
        {

            $data = trim($data);
            $data = mysqli_real_escape_string( $this->link, $data );
        }
        else
        {
            //Self call function to sanitize array data
            $data = array_map( array( 'DB', 'filter' ), $data );
        }
        return $data;
    }

$_POST = $database->filter($_POST);
//will all post variables now be safely escaped?
James T
  • 99
  • 6
  • 5
    No, not safe. Your script is wide open to [SQL Injection Attack](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) Even [if you are escaping inputs, its not safe!](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) Use [prepared parameterized statements](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) in either the `MYSQLI_` or `PDO` API's – RiggsFolly Feb 08 '19 at 11:40
  • 1
    https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php – Nick Feb 08 '19 at 11:58
  • RiggsFolly: The most upvoted answer you link to says it's 100% safe if using normal charsets...? – James T Feb 08 '19 at 12:06
  • Anyway, I should have pointed out that my main question was whether or not the way I filter the whole $_POST variable makes sense. I'm aware there's better methods of working with database, but that requires a full rewrite (security is not extremely important in this application, not exposed to internet) – James T Feb 08 '19 at 12:13
  • The quintessence of all those answers is "use prepared statements" and "mysqli_real_escape_string() prevents only some injections in some cases but not all". – Daniel W. Feb 08 '19 at 12:37

0 Answers0