Hello forums !!
I would like to know if i am doing right for security purposes or not.
For any user submitted datas ($POST & $GET) I used to perform as

$_POST = filter_input($_POST);

// $_GET = filter_input($_GET);

// then after use that submitted data for queries as

$sql = "INSERT INTO `table_name` (field1, field2) VALUES('".$_POST['field1']."', "'.$_POST['field2'].'")";



// filter_input function

function filter_input($arg){

if(is_array($arg)){

    foreach($arg as $key => $value){                    

        if(is_array($value)){

            for($i = 0; $i < count($value); $i++){                        

                $arg[$key][$i] = mysql_real_escape_string(htmlentities(trim($value[$i]), ENT_QUOTES,'UTF-8'));

            }

        }else{

            $arg[$key] = mysql_real_escape_string(htmlentities(trim($value), ENT_QUOTES,'UTF-8'));

        }                

    }    

    return $arg;

}elseif(is_string($arg)){

    $arg = mysql_real_escape_string(htmlentities(trim($arg),ENT_QUOTES,'UTF-8'));

    return $arg;

}else{

    return $arg;

}    

}

My Questions?
- is this secure filter or not ?

Thanks in advance for your valuable suggestions.

    I would like to know if i am doing right for security purposes or not.

    Security-wise, probably correct, but I dislike such functions that blindly escape all incoming variables.

    However, I believe that what you have done is not good practice. You should use mysql_real_escape_string() before using the input in a query, but use htmlspecialchars() on output. Storing the text in a form only readable by web browsers (and other HTML user agents) fixes the format of the text unnecessarily.

      Write a Reply...