stripslashes() should only be needed if you have the deprecated magic_quotes_gpc "feature" enabled and you want to undo its damage. I use this method to deal with it if I'm unable to control whether it is on or off: http://www.charles-reace.com/blog/20...-magic-quotes/.
Next step should be to validate that user-supplied inputs are valid (type, size, etc.) -- the sort of thing where if it's invalid you display an error message and have them re-enter it. At this point you may want to look at the filter_var() function, along with things like strlen() and the various ctype_*() functions.
Sanitizing values for use in DB queries (e.g. mysql_real_escape_string()) is a separate issue, and normally should only be applied to the data in that specific instance, not globally such that the escaping would affect use of the data in non SQL situations.
Similarly, filtering data for output with functions such as htmlentities() should normally only be done as/when it is being output to the browser (or whatever else needs to be filtered).
So long story short: there's nothing "standard" I do for all user inputs, but rather it is based on the type of data and the situation.
"Please give us a simple answer, so that we don't have to think, because if we think, we might find answers that don't fit the way we want the world to be."
~ Terry Pratchett in Nation
Reply With Quote
Bookmarks