1) Use in built functions
filter_input, filter_var, filter_input_array
$search_html = filter_input(INPUT_GET, ‘search’, FILTER_SANITIZE_SPECIAL_CHARS);
$args = array(
‘product_id’ => FILTER_SANITIZE_ENCODED,
‘component’ => array(‘filter’ => FILTER_VALIDATE_INT,
‘flags’ => FILTER_REQUIRE_ARRAY,
‘options’ => array(‘min_range’ => 1, ‘max_range’ => 10)
),
‘versions’ => FILTER_SANITIZE_ENCODED,
‘doesnotexist’ => FILTER_VALIDATE_INT,
‘testscalar’ => array(
‘filter’ => FILTER_VALIDATE_INT,
‘flags’ => FILTER_REQUIRE_SCALAR,
),
‘testarray’ => array(
‘filter’ => FILTER_VALIDATE_INT,
‘flags’ => FILTER_REQUIRE_ARRAY,
)
);
$myinputs = filter_input_array(INPUT_POST, $args);
2) htmlspecialchars()
The htmlspecialchars() function converts special characters to HTML entities. This means that it will replace HTML characters like < and > with < and >. This prevents attackers from exploiting the code by injecting HTML or Javascript code (Cross-site Scripting attacks) in forms.
3) stripslashes($data)
4) Use PHP Data Objects (PDO) for binding query parameters and prepared statements to avoid sql injection: PDO provides a data-access abstraction layer, which means that, regardless of which database you’re using, you use the same functions to issue queries and fetch data.