The Ultimate Clean/Secure Function

The ultimate clean/secure function

The idea of a generic sanitation function is a broken concept.

There is one right sanitation method for every purpose. Running them all indiscriminately on a string will often break it - escaping a piece of HTML code for a SQL query will break it for use in a web page, and vice versa. Sanitation should be applied right before using the data:

before running a database query. The right sanitation method depends on the library you use; they are listed in How can I prevent SQL injection in PHP?
htmlspecialchars() for safe HTML output
preg_quote() for use in a regular expression
escapeshellarg() / escapeshellcmd() for use in an external command
etc. etc.

Using a "one size fits all" sanitation function is like using five kinds of highly toxic insecticide on a plant that can by definition only contain one kind of bug - only to find out that your plants are infested by a sixth kind, on which none of the insecticides work.

Always use that one right method, ideally straight before passing the data to the function. Never mix methods unless you need to.

PHP security function

This is wrong in at least two ways:

Turn of magic_quotes completely if you can. At least you are not using it, but $input may not be scalar
htmlentities is for display, not storage. Never encode for storage!
mysql_* functions are deprecated. There is no guarantee you will have an open mysql connection (required) when you call it either.

http://us3.php.net/manual/en/function.mysql-real-escape-string.php

Sanitising user input for MySQL

I'd also recommend not using the obsolete mysql_* functions and instead use PDO.

But to fix your existing code, use intval.

$id = intval($_GET['id']);

php input security

Am I doint the right way to protect myself against a malicious attack

Definitely NO.

Protection is not something like using one magic method to make all attacks disappear in a puff of smoke.

You need different scenarios for different attacks. A condoms commonly used for safety. Would you secure your money with a condom? I suppose - no.

Same here.

Also, mindless mixing protection techniques will spoil your data.

For example, if your admin has the ability to post HTML from some onlain editor, this SanitizeString will make it impossible.

In fact, your function is trying to protect only from XSS and obviously wrong way.

For the other attacks you need other things. SQL injection protection I described in this answer.

Is this sufficient security for user input in PHP

Once again, there is no universal escape function that just magically makes things "secure".

See this: https://stackoverflow.com/a/7810880/362536

Different escape methods are used for different things. You can't just run a bunch of data through a bunch of functions that are supposed to be used in specific contexts. You are creating garbage data, and are no more secure than you were with the raw user data in the first place.

Will this code actually work against SQL-injection?

Generic code cleaning functions are always a bad idea. They will break your data in one way or the other. Never use them; sanitize data right before it gets used, with the right sanitation method for the intended use.

Duplicate: PHP: the ultimate clean/secure function

Best and simplest was to secure login form

You should use secure way like below helpful links:

https://secure.php.net/manual/en/function.password-hash.php

https://secure.php.net/manual/en/function.password-verify.php

Here is the example:

// See the password_hash() example to see where this came from.
$hash = '$2y$07$BCryptRequires22Chrcte/VlQH0piJtjXl.0t1XkA8pw9dMXTpOq';

if (password_verify($_POST['password'], $hash)) {
     echo 'Password is valid!';
} else {
    echo 'Invalid password.';
}

Hope this helps

The Ultimate Clean/Secure Function