For starters, you can modify the $_POST variables directly. No need to store them in new variables, all this does is take up more memory and makes for more programming work.

foreach ($_POST as $key => $value) {
$_POST[$key] = clean($value);
}

The only real down side of that is you'd need to "undo" the alterations if you want to display the post variables on a page afterward. They\'d <- probably look like that. :-) In that case,

$qs = Array();
foreach ($_POST as $key => $value) {
$qs[$key] = clean($value);
}

... and use $qs from that point forward.



A few things about your clean routine: it will **only** work if you've previously opened a mySQL connection (mysql_real_escape_string) and appears to do some basic database cleansing but doesn't really "cleanse" the data for other types of attacks. But it's a good start.

To prevent sql injection and xss attacks, you might add something like this:

$str = strip_tags($str);
$str = preg_replace("/[':&#()]/","",$str);

It is probably not a complete list, but it's a start. I'd love to see somebody tell me how to improve it.

You've knocked it on there head there jborder "improve it". That's exactly what I'm looking for. I've read loads of articles but none seem to be conclusive.

Does anybody know of a function pre written that covers all bases?

I found this on net: htmlpurifier

I never tried it, so I don't know if it's good or bad. You may try and let us know.

How about something like this? This recursively sanitizes variables. Useful for multi dimensional arrays like for example $_REQUEST, $_POST and $_GET.

// Note:
// A MySQL connection is required before using // mysql_real_escape_string() otherwise an error of level E_WARNING is // generated, and FALSE is returned. If link_identifier isn't defined, // the last MySQL connection is used. 
/**
 * 
 * Filters variable to make it safe for insertion into a query.
 * Will filter strings and arrays (recursivly).
 *
 * @param mixed $input
 * @param boolean $filterHtml = true Should html and php tags be stripped from the input?
 * @return mixed
 */
function sqlescape($input, $filterHtml = true) {
 if(!is_array($input)) {
 if($filterHtml) {
 return mysql_real_escape_string(strip_tags($input));
 } else {
 return mysql_real_escape_string($input);
 }
 } else {
 foreach($input as $key => $value) {
 $input[$key] = sqlescape($value, $filterHtml);
 }
 return $input;
 }
}

>>Does anybody know of a function pre written that covers all bases?

no, to be really safe you should customise your 'cleaning' functions to suite each input...

if you expect an integer then test for an integer.
if you expect a month in the format 01-12 then test for that.
if you expect a text field with a maximum of 64 characters make sure you also test for a string with maximum length of 64.
ensure you only allow the characters that you want (eg you might want to disallow html for many good reasons)

what rocknbil said is a good shortcut although i always do something like:
$clean_post1 = clean($_POST['post1']);

this way i never accidently use a variable for a database insert that hasn't already been cleaned. (using an array like Oxidiser said also makes sense)

it is more long winded to test the data properly, if you don't you are building up trouble for the future one way or another - even if just from having wrong data inserted into your database fields

^ ^ Precisely, "it depends" on what the input is. "Every user input is a potential hack" and "Accept only what you want and throw everything else away" - Selena Sol