The ultimate clean/secure function

Question

I have a lot of user inputs from $_GET and $_POST... At the moment I always write mysql_real_escape_string($_GET[\'var\'])..

I

Answer 1

The problem is, something clean or secure for one use, won't be for another : cleaning for part of a path, for part of a mysql query, for html output (as html, or in javascript or in an input's value), for xml may require different things which contradicts.

But, some global things can be done. Try to use filter_input to get your user's input. And use prepared statements for your SQL queries.

Although, instead of a do-it-all function, you can create some class which manages your inputs. Something like that :

class inputManager{
  static function toHTML($field){
    $data = filter_input(INPUT_GET, $field, FILTER_SANITIZE_SPECIAL_CHARS);
    return $data;
  }
  static function toSQL($field, $dbType = 'mysql'){
    $data = filter_input(INPUT_GET, $field);
    if($dbType == 'mysql'){
      return mysql_real_escape_string($data);
    }
  }
}

With this kind of things, if you see any $_POST, $GET, $_REQUEST or $_COOKIE in your code, you know you have to change it. And if one day you have to change how you filter your inputs, just change the class you've made.