I wrote simple function, but I can't feel absolutely sure if it would work perfectly. function secureGET($string){ trim($string); $badWords = array("%", "<", ">", "*", ";", "(", ")", "'", '"', " ", "=", "&", "@", "$", "!", "#"); $string = str_replace($badWords, "", $string); $string = mysql_real_escape_string($string); return $string; } Code (markup): All my variables, passed thrue GET contains only letters, numbers ant dashes (-), no spaces, nu spec. chars. Please check the function and tell me if this is secure enough. If' it's not, tell me what to improve.
Oh... I have been forgotten to remove the < and > signs. I added them to prevent XXS (Cross Site Scripting) attacks.
Can you answer the following questions so i can perhaps advise you on a better solution. Do you only want to return letters, numbers and dashes (-) when you run that function? Also is this function being used before querying your database?
Prevent SQL injection -> mysql_real_escape_string XSS prevention -> htmlspecialchars and/or strip_tags
Yes. Only lowercase letters, numbers and dashes. I'm using apache mod rewrite for SEO links. Then I'm querying MySQL to find out what to output for the user depending on the URL structure. strip_tags() function will be really helpful then it requires to check user input data. apache mod rewrite simply outputs 404 page if URL structure contains something else than lowercase letters, dashes and numbers, but just in case I'm using this function to strip potentially harmful characters.