The ultimate clean/secure function
The idea of a generic sanitation function is a broken concept.
There is one right sanitation method for every purpose. Running them all indiscriminately on a string will often break it - escaping a piece of HTML code for a SQL query will break it for use in a web page, and vice versa. Sanitation should be applied right before using the data:
before running a database query. The right sanitation method depends on the library you use; they are listed in How can I prevent SQL injection in PHP?
htmlspecialchars()
for safe HTML outputpreg_quote()
for use in a regular expressionescapeshellarg()
/escapeshellcmd()
for use in an external commandetc. etc.
Using a "one size fits all" sanitation function is like using five kinds of highly toxic insecticide on a plant that can by definition only contain one kind of bug - only to find out that your plants are infested by a sixth kind, on which none of the insecticides work.
Always use that one right method, ideally straight before passing the data to the function. Never mix methods unless you need to.
PHP security function
This is wrong in at least two ways:
- Turn of
magic_quotes
completely if you can. At least you are not using it, but$input
may not be scalar htmlentities
is for display, not storage. Never encode for storage!mysql_*
functions are deprecated. There is no guarantee you will have an open mysql connection (required) when you call it either.
http://us3.php.net/manual/en/function.mysql-real-escape-string.php
Sanitising user input for MySQL
I'd also recommend not using the obsolete mysql_*
functions and instead use PDO.
But to fix your existing code, use intval
.
$id = intval($_GET['id']);
php input security
Am I doint the right way to protect myself against a malicious attack
Definitely NO.
Protection is not something like using one magic method to make all attacks disappear in a puff of smoke.
You need different scenarios for different attacks. A condoms commonly used for safety. Would you secure your money with a condom? I suppose - no.
Same here.
Also, mindless mixing protection techniques will spoil your data.
For example, if your admin has the ability to post HTML from some onlain editor, this SanitizeString will make it impossible.
In fact, your function is trying to protect only from XSS and obviously wrong way.
For the other attacks you need other things. SQL injection protection I described in this answer.
Is this sufficient security for user input in PHP
Once again, there is no universal escape function that just magically makes things "secure".
See this: https://stackoverflow.com/a/7810880/362536
Different escape methods are used for different things. You can't just run a bunch of data through a bunch of functions that are supposed to be used in specific contexts. You are creating garbage data, and are no more secure than you were with the raw user data in the first place.
Will this code actually work against SQL-injection?
Generic code cleaning functions are always a bad idea. They will break your data in one way or the other. Never use them; sanitize data right before it gets used, with the right sanitation method for the intended use.
Duplicate: PHP: the ultimate clean/secure function
Best and simplest was to secure login form
You should use secure way like below helpful links:
https://secure.php.net/manual/en/function.password-hash.php
https://secure.php.net/manual/en/function.password-verify.php
Here is the example:
// See the password_hash() example to see where this came from.
$hash = '$2y$07$BCryptRequires22Chrcte/VlQH0piJtjXl.0t1XkA8pw9dMXTpOq';
if (password_verify($_POST['password'], $hash)) {
echo 'Password is valid!';
} else {
echo 'Invalid password.';
}
Hope this helps
Related Topics
Is There a Use-Case For Singletons With Database Access in PHP
Illegal String Offset Warning PHP
How to Check If an Email Address Exists Without Sending an Email
How to Implement a Good Profanity Filter
How to Read Any Request Header in PHP
Remove Non-Utf8 Characters from String
How to Get a File'S Extension in PHP
How to Get File_Get_Contents() to Work With Https
How to Use PHP Serialize() and Unserialize()
How to Connect to Multiple MySQL Databases on a Single Webpage
How to Send a Firebase Cloud Messaging Notification Without Use the Firebase Console