I am converting my functions over from mysql to mysqli. In mysql I use a general function that I can parse data into to remove SQL threats. I have tried using this method in mysqli however any data that goes through it, doesn't come back out. If I var_dump the string I get the result
string(0) ""
This is my function
function sanitize($data) {
return htmlentities(strip_tags(mysqli_real_escape_string($data)));
}
You don't really need to use myslqi_real_escape_string().
Instead, just use prepared statements (look for examples in this PHP documentation page), and you will be just fine.
In addition to protecting from bad data, prepared statements also may work faster, especially for repeated data.
This is my function
Sanitizing output from PHP must be appropriate to the medium where the data is going. So you should use mysql[i]_real_escape_string() for data going into your DBMS, htmlentities for content going into html or xml, urlencode for data going into urls, quoted_printable_encode for text content in emails....
stip_tags converts HTML into plain text. The add_slashes functon should only be used if you have no explicit method for escaping for a destination.
BY MIXING AND MATCHING you are seriously compromising the security objective.
Use mysql[i]_real_escape_string() for preparing data to go into your DBMS. Applying it to a string already processed with strip_tags() should have no ill effects (but doing it the other way around will BREAK).
Use htmlentities so escape content before you send to to the browser.