This post will likely come off as snobish and/or know-it-all, but that's not the intention! If people are relying (or using)
addslashes for
validation of any data then they're not validating at all. All that
addslashes does is
escape a string, nothing more. It certainly doesn't validate anything.
There are a plethora of techniques in common, and not so common, use to help prevent various forms of injection and/or XSS attacks and it isn't the purpose of my post to provide an overview of those.
Your own function does two separate things which I, personally, don't like to mix like this. A series of filters are applied to the string (
$value) with
str_replace/trim/strip_tags and you escape what's left over with
mysql_real_escape_string/htmlentities. There's an old (I've no idea how old or from whence it came) programming adage:
filter input, escape output. You're doing both with this function! I wouldn't advise escaping strings going into the database with anything other than
mysql_real_escape_string. That function simply being used to enable storage of the string without any problems.
On a side note, you can pass an array into one (two, or all) of the first three parameters (the fourth being optional integer, count) of
str_replace to make life easier. You could rewrite the first six lines within the function to be:
PHP Code:
$search = array('javascript:',
'document.location',
'vbscript:',
'<marquee',
'<script',
'?php');
$value = str_replace($search, '_', $value);
The idea being, why do the job six times when you can do six things at once.