The Sterilizer


 / Published in: PHP
 

This function is used to cleanse user input data before creating queries to prevent SQL Injection attacks. This should also work to prevent XSS attempts through user input as well.

  1. /*
  2. +-------------------------------------------------------------------+
  3. |______________________The_Sterilizer_Function______________________|
  4. | PHP 5+ ONLY - Used to prevent SQLI and XSS attacks via user input |
  5. | |
  6. | 1 *REQUIRED* value, 1 <OPTIONAL> value to call this function: |
  7. | $input = User input string to be cleansed |
  8. | #is_sql = Boolean. Whether or not $input is a sql query |
  9. +-------------------------------------------------------------------+
  10. | Example of use: |
  11. | $username = sterilize($_POST['username']); |
  12. | $query = "SELECT * FROM users WHERE username = '$username'"; |
  13. +-------------------------------------------------------------------+
  14. */
  15.  
  16. function sterilize ($input, $is_sql = false)
  17. {
  18. $input = htmlentities($input, ENT_QUOTES);
  19.  
  20. {
  21. $input = stripslashes ($input);
  22. }
  23.  
  24. if ($is_sql)
  25. {
  26. $input = mysql_real_escape_string ($input);
  27. }
  28.  
  29. $input = strip_tags($input);
  30. $input = str_replace("
  31. ", "\n", $input);
  32.  
  33. return $input;
  34. }

Report this snippet  

Comments

RSS Icon Subscribe to comments
Posted By: pariisa on November 6, 2007
Posted By: czly on August 4, 2008

$input = str_replace(" ", "\n", $input);

replece ' ' with \n ? why?

You need to login to post a comment.