Hi Folks, this is my first post here, I’ve had a look around and I’m not sure how to find out what I’m looking for, so I thought I’d write a post.
I have been doing a lot of reading lately about PHP and MySQL security, and how to stop injections and what not. I’m aware of the concepts of what needs to be done, but not the real meat and bones procedure behind it.
My own take on how to make my form inputs safer, was to write a php function like this:
function sanitizeInput($string)
{
$sanitized_string = str_replace(";","& #59 ;",$string);
$sanitized_string = str_replace("*","& #42 ;",$sanitized_string);
$sanitized_string = str_replace("-","& #45 ;",$sanitized_string);
$sanitized_string = str_replace("'","& #39 ;",$sanitized_string);
$sanitized_string = str_replace("\\"","& #34 ;",$sanitized_string);
$sanitized_string = str_replace(",","& #44 ;",$sanitized_string);
$sanitized_string = str_replace("(","& #40 ;",$sanitized_string);
$sanitized_string = str_replace(")","& #41 ;",$sanitized_string);
return $sanitized_string;
}
(I’ve added spaces to the html codes because whenever I type them in here properly, my browser displays them as the actual characters, not the html codes)
I know that the addslashes and stripslashes command are supposed to be involved too, but I figured that maybe this is a safe extra layer of security?
Is my function completely pointless? Are there better methods to do what I want to do?
Thanks in advance for any feedback.