The ultimate clean/secure function

The idea of a generic sanitation function is a broken concept.

There is one right sanitation method for every purpose. Running them all indiscriminately on a string will often break it - escaping a piece of HTML code for a SQL query will break it for use in a web page, and vice versa. Sanitation should be applied right before using the data:

• before running a database query. The right sanitation method depends on the library you use; they are listed in How can I prevent SQL injection in PHP?

• htmlspecialchars() for safe HTML output

• preg_quote() for use in a regular expression

• escapeshellarg() / escapeshellcmd() for use in an external command

• etc. etc.

Using a "one size fits all" sanitation function is like using five kinds of highly toxic insecticide on a plant that can by definition only contain one kind of bug - only to find out that your plants are infested by a sixth kind, on which none of the insecticides work.

Always use that one right method, ideally straight before passing the data to the function. Never mix methods unless you need to.

There is no point in simply passing the input through all these functions. All these functions have different meanings. Data doesn't get "cleaner" by calling more escape-functions.

If you want to store user input in MySQL you need to use only mysql_real_escape_string. It is then fully escaped to store safely in the database.

EDIT

Also note the problems that arise with using the other functions. If the client sends for instance a username to the server, and the username contains an ampersand (&), you don;t want to have called htmlentities before storing it in the database because then the username in the database will contain &.

You're looking for filter_input_array().However, I suggest only using that for business-style validation/sanitisation and not SQL input filtering.

For protection against SQL injection, use parametrised queries with mysqli or PDO.