I’m using PHP 5 with SQLite 3 class and I’m wondering if using [URL=“http://php.net/manual/en/book.filter.php”]PHP built-in data filtering function with the flag FILTER_SANITIZE_STRING is enough to stop SQL injection and XSS attacks.
I know I can go grab a large ugly PHP class to filter everything but I like to keep my code as clean and as short as possible.
No, it is not “enough” and even if it were, it’s the wrong tool for the job. You should be using prepared statements (the
SQLite3 class makes this easy).
Sanitizing and validating data are done to ensure that the data is valid (or at least contains valid characters) - it has nothing whatever to do with security.
To secure against SQL injection you do as Salathe suggested and use Prepare statements that keep the SQL and the data completely separate so as to make SQL injection impossible.