function clean($s, &$link) { 
if ([url=http://www.php.net/get-magic-quotes-gpc]get_magic_quotes_gpc[/url]()) 
$s = [url=http://www.php.net/stripslashes]stripslashes[/url]($s); 
return [url=http://www.php.net/mysql-real-escape-string]mysql_real_escape_string[/url]($s, $link) 
}

...to escape data for a MySQL query, however, this is usually not the only thing you want to do. Not only do you want to escape the data, but you also want to make sure that it's in the correct format, etc... For example, if you needed an integer value from a form then you could just cast it to type int:

$id = (int)$_GET['id'];

There are other things you can do to validate your data, as well. The whole idea is to KNOW what you are going to have before you use it; you don't want to have to guess what the user input. If the input isn't formatted correctly or whatever, then you should let them know and not use it as it's "unclean". This is the idea behind "cleaning data", so there isn't just one solution to give you as it really depends, however, the function I gave above will certainly escape data for a database query no problem.

2) You have to strip the extension off the filename and compare that to an array of allowable ones. You can also check the mime type sent in $_FILES as well, however, this isn't always set or reliable so you should just check both of them; sometimes the browser doesn't set the mime type of the uploaded file. So to check the extension it would look something like this:

$allowable_ext = [url=http://www.php.net/array]array[/url]('gif','jpg','bmp','doc','xsl');
# ...some upload-specific code here
$pieces = [url=http://www.php.net/explode]explode[/url]('.', $_FILES['f_upload']['name']);
$ext = $pieces[[url=http://www.php.net/count]count[/url]($pieces) - 1];
if(![url=http://www.php.net/in-array]in_array[/url]($ext, $allowable_ext)) {
echo 'Wrong extension.'; [url=http://www.php.net/exit]exit[/url];
}

Remember, though, this still doesn't mean that you are 100% secure. First off, you should ALWAYS change the name of the uploaded file on the filesystem and never keep the original name. This is for security reasons as well as usually you'd like to keep some sort of formatting to the names of your uploaded files; you can expect the uploaded files by users to be kind of odd-ball ;) Also, you should take the extra precaution to chmod [php.net] all the files and remove any execution permissions; this would be bad if it had execution permissions, especially if it were accessable to the world, which is another thing to mention. If you don't need to, keep the uploaded files ABOVE the web root so that they are not accessable from the web.

Anyway, I hope this helps a little bit.

[edited by: eelixduppy at 3:42 pm (utc) on July 9, 2008]

1.I have a form and i receive a variable using $POST & $GET methods.How do I sanitize that variable before using it in php scripts processing ?

2.How do I sanitize the variable received using forms $GET before I insert it into mysql database ?

3.I have a form with 'file attach' capability.How do I sanitize that file so it will only accept .gif .jpg .bmp .doc .xsl files ONLY before I insert that data in mysql ?

4. How can I sanitize this file received before I upload it to temp/another directory on server ?

Thanks in adv

[edited by: eelixduppy at 3:22 pm (utc) on July 9, 2008]

2.How do I change name of uploaded files using script

3.If I need to display those files as links in my webpage,I can use either <img src> tag or <a href> tag.But I will have to have those files in HTML directory to do that.Is there a way to do this by putting those uploaded files above HTML DIRECOTORY ? may be another option to display them in webpages ?

thank you in adv