Will this function below be able to prevent XSS attacks and sql injections ?
require_once('security.class.php');
function secure_data($data) {
$data = mysql_real_escape_string($data);
$filtered_data = filter_var($data, FILTER_SANITIZE_STRING);
$secure_class = new security_class();
$clean_data = $secure_class->xss_clean($filtered_data);
return $clean_data;
}
The security class is from codeigniter.
You shouldn't be trying to "brute force" security like this - layering all of these different filters/escapes one after another on every piece of data is silly and may actually make the escaping not work as intended.
This is because the kinds of characters that are added for one kind of escaping may be removed by another. You may also end up with over-escaping.
Instead, you should use the escaping function that is specifiy for what you are actually trying to do:
mysqli_real_escape_string()
(or better yet, use prepared statements via MySQLi/PDO).
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.