0

Possible Duplicate:
PHP: the ultimate clean/secure function

I have got this code when I insert a user:

  function RegisterUser($userName, $pass, $email, $reputation, $role, $ban, $date, $ip, $numberAttempts, avatar)//'anonym', 'false',  $myDate,$ip, 0, ''
  {
     $userName= SanitizeString($userName);
     $pass= SanitizeString($pass);
     $email= SanitizeString($email);

      $userName=mysql_real_escape_string($userName);
      $pass=mysql_real_escape_string($pass);
      $email=mysql_real_escape_string($email);

The sanitize function is the following:

   function SanitizeString($var)
   {
       //$var=stripslashes($var);
       $var=htmlentities($var, ENT_QUOTES, 'UTF-8');
       $var=strip_tags($var);
       return $var;
   }

Am I doint the right way to protect myself against a malicious attack (Xss attack, javascript attack, sql injection)..

Community
  • 1
  • 1
WithFlyingColors
  • 2,650
  • 4
  • 20
  • 25

1 Answers1

0

Am I doint the right way to protect myself against a malicious attack

Definitely NO.

Protection is not something like using one magic method to make all attacks disappear in a puff of smoke.
You need different scenarios for different attacks. A condoms commonly used for safety. Would you secure your money with a condom? I suppose - no.
Same here.

Also, mindless mixing protection techniques will spoil your data.
For example, if your admin has the ability to post HTML from some onlain editor, this SanitizeString will make it impossible.

In fact, your function is trying to protect only from XSS and obviously wrong way.
For the other attacks you need other things. SQL injection protection I described in this answer.

Community
  • 1
  • 1
Your Common Sense
  • 156,878
  • 40
  • 214
  • 345