how to clean POST and GET vars in PHP for XSS and SQL injection

Question

In my web app is a config file which includes ie database connection settings ans is always loaded at the first line of a PHP script. I would like to include a function which cleans all POST and GET data for maybe existing XSS and SQL Injection risks.

I am not sure if that function is really enough

function make_safe($variable) 
{
   $variable = strip_tags(mysql_real_escape_string(trim($variable)));
   return $variable; 
}

foreach ($_POST as $key => $value) {
   $_POST[$key] = make_safe($value);
}
//Same for $_GET & $_SESSION

Do you have recommendation for this problem?

Answer 1

This function:

function make_safe($variable) 
{
   $variable = strip_tags(mysql_real_escape_string(trim($variable)));
   return $variable; 
}

Will not work

SQL injection and XSS are two different beasts. Because they each require different escaping you need to use each escape function strip_tags and mysql_real_escape_string separatly. Joining them up will defeat the security of each.

Use the standard mysql_real_escape_string() when inputting data into the database. Use strip_tags() when querying stuff out of the database before outputting them to the screen.

Why combining the two function is dangerous From the horses mouth: http://php.net/manual/en/function.strip-tags.php

Because strip_tags() does not actually validate the HTML, partial or broken tags can result in the removal of more text/data than expected.

So by inputting malformed html into a database field a smart attacker can use your naive implementation to defeat mysql_real_escape_string() in your combo.