what is a good method to sanitize the whole $_POST array in php?

If the type of each of your input variables is a string and you want to sanitize them all at once, you can use:

// prevent XSS$_GET   = filter_input_array(INPUT_GET, FILTER_SANITIZE_STRING);$_POST  = filter_input_array(INPUT_POST, FILTER_SANITIZE_STRING);

This will sanitize your $_GET and $_POST arrays.

Seen here: PHP -Sanitize values of a array

Depends what its being used for.

If you are inserting it into the database then mysql_real_escape_string() for quoted strings and type casting for numbers would be the way to go - well ideally prepared statements, but thats an entirely different matter.

If you plan on outputting the data onto the webpage then I would recommend something like htmlspecialchars()

If you plan on using the user input as a shell argument, then you would use escapeshellarg()

Moving onto your question about sending emails. Well, the following should suffice:

filter_var($_POST['message'], FILTER_SANITIZE_STRING);

All this does is basically strip tags and encode special characters.

There is no correct way to do blanket sanitation. What sanitation method you need depends on what is done to the data.

Sanitize the data directly before it is used.