Prevent SQL injection and XSS attacks
Question
Will this function below be able to prevent XSS attacks and sql injections ?
require_once('security.class.php');
function secure_data($data) {
$data = mysql_real_escape_string($data);
$filtered_data = filter_var($data, FILTER_SANITIZE_STRING);
$secure_class = new security_class();
$clean_data = $secure_class->xss_clean($filtered_data);
return $clean_data;
}
The security class is from codeigniter.
1 answers
solution1
6 ACCPTED 2013-02-27 09:19:01
You shouldn't be trying to "brute force" security like this - layering all of these different filters/escapes one after another on every piece of data is silly and may actually make the escaping not work as intended.
This is because the kinds of characters that are added for one kind of escaping may be removed by another. You may also end up with over-escaping.
Instead, you should use the escaping function that is specifiy for what you are actually trying to do:
- Before you put values into a SQL query, run them through
mysqli_real_escape_string()(or better yet, use prepared statements via MySQLi/PDO). - Before you echo values out to a HTML response, run them through HTML escaping and/or XSS cleaning.
- Etc.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.