https://www.icyphoenix.com/viewtopic.php?f=17&t=9350&p=59908#p59908 ----------------------------------- Informpro Sat 22 Nov, 2014 11:37 Re: You Do Not Sanitize Data In $_GET ----------------------------------- I'd recommand against using your own strip_tags function. Use php's, it's better (=> safer). magic quotes have been removed on the language recently (5.4 I think?) so it should be safe to remove it now (or soon-ish). For the rest, I agree: don't preemptively quote stuff. Your template engine should be responsible for the HTML escaping, and your DB layer should be responsible for the sql escaping (two things that phpbb doesn't do...). Very simple reason: - If you pre-filter everything, it's going to be a pain to get the original (sometimes impossible) - If you filter "by hand" (applying a function to sanitize everytime) you're going to miss some of those and create vulnerabilities in your software.