The essence of this solution is to process the data transmitted by the GET, POST and / or COOKIE methods, even before processing and writing them directly to the database. We are talking about basic protection, initial.
In this article, I will give examples of the use and disadvantages of a particular method.
Here is the actual code
The above example only handles GET requests. So the loop needs to be repeated with at least POST and COOKIE. Unfortunately, I did not manage to execute this solution recursively in a function, and pass all the arrays we need $_GET, $_POSTand at the $_COOKIEsame time. And most importantly, what has not been implemented is a recursive traversal of multidimensional arrays of this type, which is due to the peculiarity of data data transfer within a function, as well as the limited use of variable variables.
Here we remove obviously unnecessary javascript code. The function may turn out to be superfluous if you still allow you to transfer the code itself directly, not for its execution, but for familiarization. For example on the forums.
The function is similar to the first one, only in this case we cut out events that can be used for xss attacks. You can slightly modify this solution and cut out not only the event itself, but the content that they are trying to attach to it. But I haven't seen the need yet.
And these malicious characters, especially the backslash, can cause your SQL to break. Since the symbol itself is used quite rarely, and its potential danger is quite large, I decided to destroy it in the bud.
Using this function can cause unnecessary escaping of characters, because most likely it is already used directly when writing data to the database, but on the other hand, like no other, it will help protect against sql injections and protect your data. When using it, you need to use the function after connecting to the database. Also, let's not forget that mysql_real_escape_string is not used in php 7, and the very use of such functions depends on the connection method. For example, when connecting to the database through mysqli, you may need to use the mysqli_real_escape_string function.
Strip_tags will help you remove all unnecessary tags. Unfortunately, they are necessary too. The second parameter is to specify the tags to be left. But the trouble is that there are so many necessary tags that it is quite problematic to list them, and what is most unfortunate, there are also tags that site developers add on their own to create certain functions on the site. Of course, it would be much more convenient to specify the tags to be removed, rather than leave. But let's be content with what we have. In addition, regular expressions can be used for such solutions.
I think that these two functions do not need to be introduced and one is similar to the other, so it is enough to use one of them. However, they are not always appropriate.
In this article, I will give examples of the use and disadvantages of a particular method.
Here is the actual code
The above example only handles GET requests. So the loop needs to be repeated with at least POST and COOKIE. Unfortunately, I did not manage to execute this solution recursively in a function, and pass all the arrays we need $_GET, $_POSTand at the $_COOKIEsame time. And most importantly, what has not been implemented is a recursive traversal of multidimensional arrays of this type, which is due to the peculiarity of data data transfer within a function, as well as the limited use of variable variables.
Here we remove obviously unnecessary javascript code. The function may turn out to be superfluous if you still allow you to transfer the code itself directly, not for its execution, but for familiarization. For example on the forums.
The function is similar to the first one, only in this case we cut out events that can be used for xss attacks. You can slightly modify this solution and cut out not only the event itself, but the content that they are trying to attach to it. But I haven't seen the need yet.
And these malicious characters, especially the backslash, can cause your SQL to break. Since the symbol itself is used quite rarely, and its potential danger is quite large, I decided to destroy it in the bud.
Using this function can cause unnecessary escaping of characters, because most likely it is already used directly when writing data to the database, but on the other hand, like no other, it will help protect against sql injections and protect your data. When using it, you need to use the function after connecting to the database. Also, let's not forget that mysql_real_escape_string is not used in php 7, and the very use of such functions depends on the connection method. For example, when connecting to the database through mysqli, you may need to use the mysqli_real_escape_string function.
Strip_tags will help you remove all unnecessary tags. Unfortunately, they are necessary too. The second parameter is to specify the tags to be left. But the trouble is that there are so many necessary tags that it is quite problematic to list them, and what is most unfortunate, there are also tags that site developers add on their own to create certain functions on the site. Of course, it would be much more convenient to specify the tags to be removed, rather than leave. But let's be content with what we have. In addition, regular expressions can be used for such solutions.
I think that these two functions do not need to be introduced and one is similar to the other, so it is enough to use one of them. However, they are not always appropriate.