Sanitization & Validation

Question

Back with another question.

I have come across this really nice function that I think sanitizes and validates (I really hope that statement is actually true). Here is the function and it's usage.

     if(funcChkLogin($_POST['username']))
        {
          $username = escape_data($_POST['username']);
        } 

     funcChkLogin($str)
     {
         return preg_match("/^[A-z0-9_\-\.]{2,20}$/", stripslashes(trim($str)));
     } 

     escape_data($data)
     {
       $data = mysql_real_escape_string(trim($data));
       $data = strip_tags($data);
       return $data;
     } 

Because I read that the usage of stripslashes creates problems I would like to ask how safe and strong this method is for sanitization. Can it be improved?

I know using PDOs is better but there could be data that is not going into a database then using a nice function like this would be a good idea to ensure we have clean PHP code running. Right?

Thanks all !

Answer 1

mysql_real_escape_string might not be safe unless you take special precautions. It is also deprecated. Use PDO.

I know using PDOs is better but

No "but"s. Make the right choice.

Answer 2

Don't roll your own binding/escaping functionality

The only thing that you should be rolling your own code for is the "rules" that you actually want the user data to conform to. PHP already has the tools to deal with everything database. It also already has the function to deal with outputting to html. The concept of sanitizing everything is generally an over-compensation reaction to realizing how horrible it can be to trust user input, and is not applicable to most of the situations where you're trying to apply it. Use existing native functions (& PDO).

Data should generally be converted only when it's changing format/storage

Instead of trying to sanitize for every possible future way to use the data, you should consider that when you change the format of data, you should be escaping or converting it at the last possible moment over into that new format, so that it has the display features of the new medium you want to have it in.

Use the right function (& PDO) for the right target

Want it to go into the database? bind it for a prepared query at that time. Want to put it in your html? escape it for html at exactly that time. Want it in json? json_encode it right before outputting it to your api). The functions that do these common escaping/binding/converting processes for you are always written into the php language, so don't reinvent the wheel.

One of the linked duplicate answers has some great examples of the functions that escape when you're converting from a php variable to a mysql data cell, or from a php variable to an html text display area. Just reuse those.