small php user input cleaner

kusal

   1. function clear_str_values($contaminated_var)
   2. {
   3.  

   4.     $contaminated_var = str_replace("'", '', $contaminated_var);
   5.    

   6.     $contaminated_var = stripcslashes(strip_tags(trim($contaminated_var)));
   7.     $contaminated_var = str_replace("$", '', $contaminated_var);
   8.     $contaminated_var = str_replace(";", '', $contaminated_var);
   9.     $contaminated_var = str_replace(":", '', $contaminated_var);
  10.     $contaminated_var = str_replace("/", '', $contaminated_var);
  11.    

  12.     return $contaminated_var;
  13. }

I wrote this small function to be include in my all php files to clean user input,
I needed it to be simple, is this enough or did I miss something important.
will this function slow down my script very badly?

Thank you

NogDog

It all depends on why you want to all of that filtering. For instance, the first replacement would screw up any name field if a user's last name is "O'Reilly". And getting rid of punctuation like ":" and ";" might make things difficult to read and possibly even change their meaning in, for example, the message field of a contact form.

In general, rather than just filter things out, you need to decide what is allowable for each field, and if the user enters something that's not allowed, then return an error so he can fix it, rather than assuming it's OK to just automatically edit it out. (An exception might be something like entering a SSN, where you could strip out any non-numeric characters, then make sure it ends up with the correct number of digits.)

kusal

I'm concerned on the security issue,
first stripping need to be done to restrict sql injections, i guess
I just want to filter out any harmful data, metacharaters coming from out side.

bradgrafelman

No data itself is harmful. There's no magic word that you could whisper next to a server and make it wilt and die. Data is only harmful if you use it (e.g. display it) improperly.
kusal wrote:
first stripping need to be done to restrict sql injections, i guess
This is definitely incorrect. You don't need to strip any data to prevent SQL injections, you just need to sanitize it. Besides, even if you wanted to go with stripping (and therefore damaging/altering) data, you're still missing a few characters.

The answer is to simply use one all-encompassing function that you don't even have to write: [man]mysql_real_escape_string/man. Note that this assumes you're using the MySQL library; there are more appropriate commands/techniques in the advanced, newer libraries (e.g. PDO's prepared statements).

kusal

Thank you for the advice
Good Luck to all