I'm trying to write a function to sanitize a users' input before it's passed to a variable.
The only things users will be allowed to input is plain text and URI's.
I was hoping that someone could examine the function I have written and provide some constructive criticism or pointers with the primary focus being on security. Thanks in advanced.
Code: Select all
<?php
//****************************************
//****************************************
//** security.php by Hermit TL
//**
//** Version 0.1 Alpha
//**
//** Supports plain (english) text
//** and URL input only.
//**
//** Returns NULL on failure.
//****************************************
//****************************************
function security_filter ($input, $what) {
switch ($what){
case "string":
switch (is_string($input)){
case true:
$input = filter_var($input, FILTER_SANITIZE_STRING, FILTER_NULL_ON_FAILURE);
break;
default:
$input = NULL;
break;
}
break;
case "url":
$chk = filter_var($input, FILTER_SANITIZE_URL, FILTER_NULL_ON_FAILURE);
switch($chk){
case !NULL:
$input = filter_var($input, FILTER_SANITIZE_URL, FILTER_NULL_ON_FAILURE);
break;
default:
$input = NULL;
break;
}
break;
default:
$input = NULL;
}
return $input;
}
?>