What are ways to improve my PHP data sanitation class?

I'm putting together a site, (we're already using javascript to开发者_如何学Go prevalidate on the client side). However after getting tired of writing mysql_real_escape_string every other line. I wrote this class that only has two functions mainly focused on sanitising data in user-input/sql. My question is, what are ways to achieve easier input-sanitizing and while improving code readability?

<?php 
class Safe {
    function userinput($string){
        $string = strip_tags($string);
        $string = htmlspecialchars($string);
        return $string;
    }
    function sql ($string){
       $sqlstuff = Array("union", "select", "update", "delete", "outfile", "create");
       $string = Safe::str($string);
       $string = mysql_escape_string($string);
       $string = str_ireplace($sqlstuff, "", $string);
       return $string;

    }
}
?>

Sorry, this is going to sound harsh, but your class is completely broken.

• You should not be using htmlspecialchars for sanitizing input, it is only useful for escaping output. You do not need to encode HTML for insertion to the database nor should you. Only using htmlspecialchars when sending output to the browser
• You should not be stripping tags from your input, you should be leaving them alone and again using htmlspecialchars when you output that data later to insure HTML tags are escaped and not interpreted by the browser
• You should not be using mysql_escape_string or mysql_real_escape_string, you should be using PDO. If you are writing a new site there is absolutely no reason not to start out correctly and use PDO. Do it.
• You should not be filtering out "union", "select", etc, that's dumb. Those words can appear in regular English language, and they're harmless if you're properly escaping quotes which PDO will handle for you.

Again, sorry for the harsh tone of this answer, but scrap the entire thing and use PDO. There is literally nothing salvageable here.

It's a good idea to use a class like that, particularily if it simplifies input handling. There's however a few points I'd like to comment on:

• You should use mysql_real_escape_string instead of the PHP3 mysql_escape_string.
• The first function should be called html or something. userinput sounds to vague and misrepresentative.
• HTML escaping needs more parameters htmlspecialchars($str, ENT_QUOTES, "UTF-8") to be perfectly safe
• The blacklisting of dangerous SQL keywords is not a good idea. It hints at a wrong approach to using SQL queries (if you receive queries via HTTP requests, that's your problem).
  • Also you should not attempt to filter them. Instead detected them, write to the error/security log, and die() immediately. If there is an attempt to circumvent security, there's no point in attempting any "cleaning" of the request.

You can also use filter_* functions that are bundled with PHP and provide you with the mechanism to filter request parameters according to specific filtering rules.

With few extra tricks, you could even filter arrays of different types of data (thanks to erisco!).

class sanitizer {

  public function sanitizeValues($values, $filters) {

    $defaultOptions=FILTER_FLAG_NO_ENCODE_QUOTES | FILTER_FLAG_STRIP_LOW | FILTER_NULL_ON_FAILURE;

    $filters=(array)$filters;
    $values=(array)$values;
    foreach ($filters as $key => $filter) {
        if($parts=explode('/', $key)){
            $v=&$values;
            foreach ($parts as $part){
                $v=&$v[$part];
            }
            $filter=(array)$filter;
            $filter[1]=isset($filter[1])?$filter[1]:$defaultOptions;
            $v=filter_var($v, $filter[0], $filter[1]);
            // consider if you really need this here instead of PDO
            // $v=mysql_real_escape_string($v); 
        }
        else{
            $values[$key]=isset($values[$key]) ? filter_var($values[$key], $filter[0], $filter[1]) : null;
        }

    }
    return $values;
  }
}

$manager=sanitizer::sanitizeValues($_GET['manager'], array(
                 'manager/managerID'=>FILTER_VALIDATE_INT,           
                 'manager/username'=>FILTER_SANITIZE_STRING,
                 'manager/name'=>FILTER_SANITIZE_STRING,
                 'manager/email'=>FILTER_SANITIZE_STRING,
                 'manager/phone'=>FILTER_SANITIZE_STRING,
                 'manager/bio'=>FILTER_SANITIZE_STRING,
                 'manager/enabled'=>FILTER_VALIDATE_BOOLEAN,
                 'manager/password'=>FILTER_SANITIZE_STRING));

This will produce an array complete with all the needed fields based on the 'manager' parameter in _GET, with all values filtered and, optionally, escaped.