I am writing a code which will process the user text input in a registration form. I have implemented the following function which make sure that the input data is safe:
function input_check($Indata, $dbc) { // input_check($Indata, $dbc)
$Indata = trim($Indata); // remove white spaces
$Indata = stripslashes($Indata); // remove back slashes
$Indata = strip_tags($Indata); // remove html tags
$Indata = htmlspecialchars($Indata); // convert html entities
$Indata = mysql_real_escape_string($Indata,$dbc);
return $Indata;
}
Is there any other processing that I have to do in order to ensure that the input is safe?
I meant safe from malicious input data
Your strategy to use all possible escaping mechanisms may be safe, but will make your application too complex - imagine what you need to do, to use the data (which seems to be stored in a MySQL database later, right?) to print it in a html form later.
A more wise approach is, to use only the adequate escaping mechanism depending on the use of the data:
mysql_real_escape_string() which is deprecated, use PDO::quote() or even better use parameter binding which already does escaping for you)htmlspecialchars(), possibly in conjunction with strip_tags()htmlspecialchars() together with urlencode()... and so on. Then you will most likely be safe of SQLInjection, XSS attacks and so on.