schwim;11029327 wrote:but is this a decent starting point?
In my opinion: No, it is not. For one, the entire premise that you can create a single "sanitizer" function that works in all situations is nothing more than fantasy.
As you pointed out, the cleanInput() function makes a lot of assumptions that may or may not always be true. Furthermore, the sanitize() function makes even more assumptions that are almost certainly not always true. Namely, it assumes that 1) you're using the deprecated [man]mysql[/man] extension, and 2) every piece of data you put into your database is a string (in other words, you never use any type of numeric d
schwim;11029327 wrote:I would have thought that I would also want substr included somehow, like sanitize($variable, 20) to allow me to prepare the string for db input and truncate it to 20 characters long.
You could also add a third boolean parameter that indicates whether or not PHP should cook you some scrambled eggs with a side of toast, or simply perform any other task that is completely unrelated to the scope suggested by the function's name. I've always subscribed to the method of making function names fully reflect their intent/purpose, and that if doing so means you end up with incredibly long function names (who wants to type sanitizeMysqlStringToMaxLengthAfterStrippingVariousHTMLEntities() one even one time, let alone multiple?) then the problem isn't that you need to be more clever and remove all vowels or find some mysterious contractions; instead, the problem is that you need to split the function into ones that each have only one... well, function.
