1

I'm using php and I want to just ask if the function I'm using to sanitize my inputs is good enough from sql injections and other malicious stuff that can happen through an input.

public function test_input($data)
{
    $data = trim($data);
    $data = stripslashes($data);
    $data = htmlspecialchars($data);
    return $data;
}

Here is the criteria I want you guys to rate me on:

Is it the most efficient way to sanitize a user's input?

Does it sanitize the input good enough from stopping malicious code going into my database?

Also this is just a bonus but if I sanitize a user's input will I need to be sanitizing anything else? I'm already binding the user's parameters before I enter them into the database.

dislonely
  • 83
  • 10
  • 3
    I don't know where you got this from but it does nothing of value, and corrupts your data, to boot. Don't use this function at all. Do find out about prepared statements, and use those instead. – Tangentially Perpendicular Nov 13 '21 at 02:22
  • @TangentiallyPerpendicular how exactly does it corrupt my code? I am using PDO and I use binding already. I just use this function on the inputted data before I send it to the database to do something with it. – dislonely Nov 13 '21 at 02:27
  • 2
    `stripslashes()` removes characters from the input. You have no way to know whether those slashes are significant, and no way to replace them later. `htmlspecialchars()` replaces certain characters in your code with HTML expansions. It's an output function intended for use when sending data to a browser. You could decode those expansions when retrieving data from the database, but you have to remember to decode them everywhere. If you're using bound parameters properly (and we don't know because you haven't posted that code) you don't need to sanitise data going to the database... – Tangentially Perpendicular Nov 13 '21 at 02:46
  • ...You always need to be careful with what data you send to the browser, but the time to worry about that is when you are actually sending it to a browser. – Tangentially Perpendicular Nov 13 '21 at 02:46
  • So is to just bind the parameters and forget about this function? Or is there another function that I can make to sanitize my inputs. – dislonely Nov 13 '21 at 02:47
  • Prevent sql injection is not HTML sanitize. To removed all HTML just use `strip_tags()`. To convert HTML just use `htmlspecialchars()`. To accept some HTML, search for **HTML Purifier** or use PHP `Dom` to do that. – vee Nov 13 '21 at 05:24

1 Answers1

0

The validation depending mainly on the context of your website, what's should be confirmed to keep database consistent as possible. Also there are some validations which are like a global or public, such as trim() and stripslashes()

The main function of validation is to check user inputs that will stored in database and used in future, such as email or phone number and password of user when login or sign-up. You should validate that phone number is numeric and only 12 length. Or validate that email is in correct format.

About what to use for validation, you can search about: FILTERs here https://www.w3schools.com/php/php_filter.asp ,

REGULAR EXPERSSIONS here https://www.w3schools.com/php/php_regex.asp

Other way is by using string functions: here https://www.w3schools.com/php/php_ref_string.asp