Sanitizing user's data in GET by PHP

Question

How do you sanitize data in $_GET -variables by PHP?

I sanitize only one variable in GET by strip_tags. I am not sure whether I should

Answer 1

Sanitize your inputs according to where it is going.

• If you display it (on a page or as an input field's value), use htmlspecialchars and/or str_replace.
• If you use it as another type, cast it.
• If you include it in SQL query, escape it using the appropriate function, maybe strip html tags if you do want those to be totally removed (which is not the same as escaped).

Same for POST or even data from your DB, since the data inside your DB should generally not be escaped.

Two things you should check:

1. Encoding of your input vs. your PHP scripts / output / DB table
2. If you have [magic_quotes_gpc][1] enabled, you should either disable it (whenever you can) or stripslashes() GET, POST and COOKIE values. magic_quotes_gpc is deprecated, you should sanitize the data you manipulate, depending on the use of that data.