Hi,

Based on what I've read to date I've put together my first sanitisation process, I'm not sure if I've done too much or too little and I'm hoping someone could
help me review it to either point out my errors or help me improve it.


1. I pick up the posted username with the following:

if (isset ($_POST['username']) and ! empty ($_POST['username'])){


2. Then strip the html tags with:

$username = strip_tags($_POST['username']);


3. Then pass it to a sanitisation function:

$username = san_data_un();

function san_data_un() {
GLOBAL $username;
$username = trim($username);
$username = preg_replace('/[^A-Za-z0-9\._-]/', '', $username); // Leave A-Z, a-z, 0-9, dots, spaces, underscores and hyphens
$username = preg_replace('/ */', '-', $username); // Replace spaces with hypens
$username = htmlspecialchars("$username", ENT_QUOTES, 'utf-8');
return $username;
}


4. When it comes out of the function I check its type with:

if (!is_string($username)) {
echo "ERROR 1000";
header("Location: h_sign_in.php");
exit(0);
}


5. I then use a prepared statement to communicate with the db, check the details and retrieve other data needed.


6. Then put this other data in an array with:

$main_data = array("$var_1", "$var_2", "$var_3");


7. Then prepare it to send via the URL with:

$coded_data = urlencode(serialize($main_data));


8. Then pass it like:

<a href="next_page.php?pass_main_data=<?php echo($coded_data);?>">Link</a>


Thanks in advance for any help or suggestions.