hello, I want to sanitize & validate my input to prevent injection . can you give me suggestion which method better to sanitize & validate email,username,number input? username if(!filter_has_var(INPUT_POST, "username")) { echo("Input type does not exist"); } else { $url = filter_input(INPUT_POST, "username",FILTER_SANITIZE_STRING); } PHP: OR $username = mysql_real_escape_string($_POST['username']); {if (!empty($username)) { $username = TRUE } else { $username = FALSE; echo "<p><font color='red'>Please enter your username!</font></p>"; } PHP: Number $number=abs((int)$_GET['number']); PHP: OR if(!filter_has_var(INPUT_POST, "number")) { echo("Input type does not exist"); } else { $url = filter_input(INPUT_POST, "number", FILTER_VALIDATE_INT); } PHP: email $email=mysql_real_escape_string($_POST['email']; if(!preg_match("/^[_\.0-9a-zA-Z-]+@([0-9a-zA-Z][0-9a-zA-Z-]+\.)+[a-zA-Z]{2,6}$/i", $email)) { echo "email is valid"; } else {echo" email is not valid"; PHP: OR function spamcheck($field) { $field=filter_var($field, FILTER_SANITIZE_EMAIL); if(filter_var($field, FILTER_VALIDATE_EMAIL)) { return TRUE; } else { return FALSE; } } if (isset($_POST['email'])) { $mail = spamcheck($_POST['email']); if ($mail==FALSE) { echo "Invalid input"; }else{echo "valid input";} PHP:
why email and number? In case of email, deletee that mysql_real_escape_string and place it AFTER checking with preg_match
maybe I wrong about email but about number abs((integer)) is most effective in use....it converts anything input into integer...negatif number into positif and convert alphabet & another var into 0...
Basically validate data (using preg_match(), is_numeric() etc.)...then sanitize data (mysql_real_escape_string()).
I think number can't be "hacked" when it's INT ... just use function danx mentioned (mysql_real_escape_string()).