mysql sanitisation example from book

Posted on 2014-08-22
Last Modified: 2014-08-24

Here is the example

function sanitiseString($var) {
$var = stripslashes($var);
$var = striptags($var);
$var = htmlentities($var); }

function sanitiseMySQL($conn, $var) {

$var= $conn->realeascapestring($var)
$var = sanitiseString($var);
return $var;

$var = sanitiseMySQL, $_POST['input'];
This is based on a mysqli connection object. I am asking out of curiosity as i use prepared statements anyway but if my understanding is correct wouldnt stripSlashes in first function the undo the work of realeascapestring in the second function?

Or does stripslashes leave things alone that are escaped? I know it leaves alone escaped backslashes but if you had escaped an apostrophe wouldnt this code just undo that?.

I know this could open a whole sanitisation debate. That is not my point of asking. I dont understand the example so I asssume I am missing or overlooking something about stripslahes

Question by:andieje
    LVL 107

    Accepted Solution

    The example is wrong, full stop.  Don't use it.

    Correct examples are given in this article.

    Author Closing Comment

    Glad its not just me :)

    Author Comment

    Actually i see i posted the question wrong it should be

    $var = sanitiseMySQL(conn, $_POST['input']);

    I use PDO but I was still curious to understand what the author was doing.
    LVL 107

    Expert Comment

    by:Ray Paseur
    curious to understand what the author was doing
    I have no earthly idea!  It does not make sense to me.

    You might want to be aware of the background on Magic Quotes, but that alone does not explain what the author was thinking.  The code just looks wrong, as if the instructions were out of order.

    The general design that I follow is this:

    1. Filter and sanitize the external input data by verifying that it makes sense (expected integers are, in fact, integers, string lengths are appropriate, etc.)

    2. Escape the data with a real_escape_string() function

    3. Store in the data base

    4. Upon retrieval from the data base, use htmlentities() before echo.

    This process ensures that you stored a true representation of what your script received and also protects the clients who see the stored data.  HTMLentities() will prevent malicious Javascript from being executed in the client browser, so it's important to use it before echoing any browser output.

    In any case, thanks for the points, ~Ray

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Looking for New Ways to Advertise?

    Engage with tech pros in our community with native advertising, as a Vendor Expert, and more.

    Generating table dynamically is the most common issue faced by php developers.... So it seems there is a need of an article that explains the basic concept of generating tables dynamically. It just requires a basic knowledge of html and little maths…
    Deprecated and Headed for the Dustbin By now, you have probably heard that some PHP features, while convenient, can also cause PHP security problems.  This article discusses one of those, called register_globals.  It is a thing you do not want.  …
    Learn how to match and substitute tagged data using PHP regular expressions. Demonstrated on Windows 7, but also applies to other operating systems. Demonstrated technique applies to PHP (all versions) and Firefox, but very similar techniques will w…
    This tutorial will teach you the core code needed to finalize the addition of a watermark to your image. The viewer will use a small PHP class to learn and create a watermark.

    761 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    16 Experts available now in Live!

    Get 1:1 Help Now