Posted By

Vanish on 12/07/06


Tagged

sql php5 injection xss prevention


Versions (?)

Who likes this?

30 people have marked this snippet as a favorite

Vanish
oso96_2000
blakeb
dmarten
chris_tessmer
christessmer
vali29
heinz1959
mb
pixelhandler
ETbyrne
webpro
cjwilburn
nb109
Hollow
pster
colingardom
vehler
osirisinternet
dinkan
pgorrindo
mecha
AlejoLuc
warren
archangel
NeekGerd
SevenLayersDesign
carcinogen75
tmh27
dennywalker


The Sterilizer


 / Published in: PHP
 

This function is used to cleanse user input data before creating queries to prevent SQL Injection attacks. This should also work to prevent XSS attempts through user input as well.

  1. /*
  2. +-------------------------------------------------------------------+
  3. |______________________The_Sterilizer_Function______________________|
  4. | PHP 5+ ONLY - Used to prevent SQLI and XSS attacks via user input |
  5. | |
  6. | 1 *REQUIRED* value, 1 <OPTIONAL> value to call this function: |
  7. | $input = User input string to be cleansed |
  8. | #is_sql = Boolean. Whether or not $input is a sql query |
  9. +-------------------------------------------------------------------+
  10. | Example of use: |
  11. | $username = sterilize($_POST['username']); |
  12. | $query = "SELECT * FROM users WHERE username = '$username'"; |
  13. +-------------------------------------------------------------------+
  14. */
  15.  
  16. function sterilize ($input, $is_sql = false)
  17. {
  18. $input = htmlentities($input, ENT_QUOTES);
  19.  
  20. {
  21. $input = stripslashes ($input);
  22. }
  23.  
  24. if ($is_sql)
  25. {
  26. $input = mysql_real_escape_string ($input);
  27. }
  28.  
  29. $input = strip_tags($input);
  30. $input = str_replace("
  31. ", "\n", $input);
  32.  
  33. return $input;
  34. }

Report this snippet  

Comments

RSS Icon Subscribe to comments
Posted By: pariisa on November 6, 2007
Posted By: czly on August 4, 2008

$input = str_replace(" ", "\n", $input);

replece ' ' with \n ? why?

You need to login to post a comment.