A little rusty on protecting input

[nick-8318]

I've got some PHP code inserting things into a database....

I'm a little rusty on how to protect the data to prevent XSS and SQL injections, looking for some tips.

$userid = $_GET['userid'];
$strangerid = $_GET['strangerid'];
$message = clean($_GET['message']);

// and then clean() here:
/* functions used throughout the script */
function clean($data)
{
	global $mysqli;
	
	if (get_magic_quotes_gpc())
	{
		$data = stripslashes($data);
	}
	return strip_tags($mysqli->escape_string($data));
}

Would is_numeric() be efficient for userid/strangerid?

and

Is clean() good enough?

 

[baxter]

is_numeric just tells you if it is a number it doesn't actually sanitize the data held by that variable.

To ensure that the variable is a integer do the following:

$userid = intval($_GET['userid']);
$strangerid = (int) $_GET['strangerid'];

Either method will cast the value to an integer

Cheers,

Jay

 

[nick-8318]

Thank You baxter

i'll give that a go

 

[eagle12]

Look up prepared statments, and if it is a bigger project, something like pear dataobject to abstract your data is efficient.