Strip Tags, remove other characters and mysql_real_escape_string is it enough?

Question

I'm working on a couple of pages to manage data coming from a textarea which the user can use to write some content through a basic editor WYSIWYG. In this textarea I abilitate few tags. I'm wondering if the following process is going to be enough to protect myself from spam and other hidden dangers related to sql query injection and so on.

My steps

function string_db ($value) 
{ 
   $value = (get_magic_quotes_gpc()) ? stripslashes($value) : $value; 
   return mysql_real_escape_string($value); 
} 

$content = string_db(trim($_POST['conten']));
$content = strip_tags($content, '<p><a><b><u><i>'); // The 5 tags allowed
$content = str_replace("&lt;", "", $content);
$content = str_replace("&gt;", "", $content); //In case someone try to type html entities instead of html code

//INSERT DATA IN DB

On the page where I display the data previously saved in the db I use:

echo html_entity_decode($contentFromDb);

Is this enough? IS there a list of tests to do in order to prove the effectiveness?

Thanks a lot

Answer 1

You should use PHP's PDO functionality instead. Using this you create prepared statements, which will help eliminate SQL injection vulnerabilities.

$DBH = new PDO("mysql:host=$host;dbname=$dbname", $user, $pass); 
$STH = $DBH->("INSERT INTO table (col1, col2, col3) values (?, ?, ?);");

# assign variables to each place holder, indexed 1-3  
$STH->bindParam(1, $col1var);  
$STH->bindParam(2, $col2var);  
$STH->bindParam(3, $col3var);  

# insert one row  
$col1var = "My first value"  
$col2var = "Value 2";  
$col3var = "Someone's 3rd value";  
$STH->execute();  

# insert another row with different values  
$col1var = "My first value; Query 2"  
$col2var = "Value 2 -- of the second query";  
$col3var = "Someone's 3rd value;#This one has weird characters";  
$STH->execute();  

In the above example, we connect to the database and set the database handle as $DBH. Then we prepare our query and use unnamed placeholders (the ?s). Next we bind our PHP variables to the unnamed placeholders. Finally, we set our variables and execute the query. This can be repeated with new values, simply by changing the data in the PHP variables.