How Good Is This Data Cleaning Function?

[shadowx 0]

Hi all, this is my first function and as part of a script and i just want to know a couple of things.

here is the code for the function:

<?function clean($dirty_string) {$muddy_string = stripslashes($dirty_string);$murky_string = strip_tags($muddy_string);$clean_string = htmlentities($murky_string);	};?>

So the first thing is how secure is it? the script this will be used in connects to a database and sends an email so it needs to stop SQL injections and any email abuse it might cause, also the data stored in the database will be usaed as part of a HTML page so it needs to be HTML proof which is why i used HTMLENTITIES and of course STRIP_TAGS gets rid of php and HTML so was a good choice i thought.

That is all really! If its not that secure then are there any other built in functions i could add?

Thanks

[cooleappie 0]

As far as i can see, is it for that purpose good enough.. If it would be for a very important part which other persons may in no case enter, i would add more.. but this is enough for this..

[galexcd 0]

It is pretty good, I just have a couple of quick suggestions to add. First of all why are you wasting memory on the server with all of those useless variables? Even though its temporarily while your page is loading. Normally for code this short it wouldn't matter, but since its a function that will be included in other pages, the object of it is to be fast and effective. The faster and more effective it is the better the function is.Also I assume the reason you have htmlentities after strip_tags is to parse '<' and '>' that are not in tag format? (for example an arrow: -->). If you are doing this why do you also strip_tags? Is it important to completely eliminate tags that are in html format? Why not just keep them in there and just parse them into > and <?Also, I would think that add_slashes would make it more secure than strip_slashes. This would escape out quotes, and would also escape out any backslashes that strip_slashes would remove, rendering them useless.

Edited April 28, 2008 by alex7h3pr0gr4m3r (see edit history)