Securing User Input

Hello everyone,
I’m just starting out learning PHP and have programmed a function to filter user input. This will mainly be used in a highly restricted forum type environment or prior to adding data to a MySQL database.

I’m looking for input on how effective (or ineffective) my code really is.

Here is the function:
[php]<?php
//****************************************
//****************************************
//** security.php by Sensimillia
//**
//** Version 0.2 Alpha
//**
//** Supports plain (english) text
//** and URL input only.
//**
//** Returns NULL on failure.
//****************************************
//****************************************
function security_filter($input, $what) {
if (is_array($input)){ $input=NULL; }
switch ($what){
case “string”:
switch (is_string($input)){
case true:
$input = filter_var($input, FILTER_SANITIZE_STRING, FILTER_NULL_ON_FAILURE);
break;
default:
$input = NULL;
break;
}
break;
case “url”:
$chk = filter_var($input, FILTER_VALIDATE_URL, FILTER_NULL_ON_FAILURE);
switch($chk){
case !NULL:
$input = filter_var($input, FILTER_SANITIZE_URL, FILTER_NULL_ON_FAILURE);
break;
default:
$input = NULL;
break;
}
break;
default:
$input = NULL;
}
if ($input == false){
$input = NULL;
}
$input = mysql_real_escape_string($input);
return $input;
}
?>[/php]

A lot of work for old rope. If you kept up-to-date with modern standards, you would realize that the mysql_query function will be completely removed from PHP soon. Putting the query into PDO will secure it for you.