A PHP function to prevent SQL Injections and XSS

I am tring to make my PHP as secure as possible, and the two main things I am trying to avoid are

  • mySQL Injections
  • Cross-Side Scripting (XSS)

This is the script I got against mySQL Injections:

function make_safe($variable) {
$variable = mysql_real_escape_string(trim($variable)); 
return $variable;  }


Against XSS, I found this:

$username = strip_tags($_POST['username']);

Now I want to unite the two into a single function. Would this be the best way to do so? :

function make_safe($variable) {
$variable = strip_tags(mysql_real_escape_string(trim($variable)));
return $variable; }

Or does the mysql_real_escape_string already prevent XSS? And lastly, is there anything else that I could add into this function to prevent other forms of hacking?


Thank you for visiting the Q&A section on Magenaut. Please note that all the answers may not help you solve the issue immediately. So please treat them as advisements. If you found the post helpful (or not), leave a comment & I’ll get back to you as soon as possible.

Method 1

mysql_real_escape_string() doesn’t prevent XSS. It will only make impossible to do SQL injections.

To fight XSS, you need to use htmlspecialchars() or strip_tags(). 1st will convert special chars like < to &lt; that will show up as <, but won’t be executed. 2nd just strip all tags out.

I don’t recommend to make special function to do it or even make one function to do it all, but your given example would work. I assume.

Method 2

This function:

function make_safe($variable) 
   $variable = strip_tags(mysql_real_escape_string(trim($variable)));
   return $variable; 

Will not work

SQL injection and XSS are two different beasts. Because they each require different escaping you need to use each escape function strip_tags and mysql_real_escape_string separatly.
Joining them up will defeat the security of each.

Use the standard mysql_real_escape_string() when inputting data into the database.
Use strip_tags() when querying stuff out of the database before outputting them to the screen.

Why combining the two function is dangerous
From the horses mouth: http://php.net/manual/en/function.strip-tags.php

Because strip_tags() does not actually validate the HTML, partial or broken tags can result in the removal of more text/data than expected.

So by inputting malformed html into a database field a smart attacker can use your naive implementation to defeat mysql_real_escape_string() in your combo.

Method 3

What you should really be looking into is using prepared statements and PDO to both provide an abstraction layer against your database as well as completely eradicate SQL injection attacks.

As for XSS, just make sure to never trust user input. Either run strip_tags or htmlentities when you store the data, or when you output it (not both as this will mess with your output), and you’ll be all right.

All methods was sourced from stackoverflow.com or stackexchange.com, is licensed under cc by-sa 2.5, cc by-sa 3.0 and cc by-sa 4.0

0 0 votes
Article Rating
Notify of

Inline Feedbacks
View all comments
Would love your thoughts, please comment.x