Possible Duplicate:
PHP: the ultimate clean/secure function

I revised my site's security filters today. I used to filter input and do nothing with the output.

Here it is:

All user inputted variables go through these 2 functions depending on the type:

PS: Since I didn't start coding from scratch I did it for all variables, including the ones that aren't aren't used in queries. I understand that this is a performance killer and will be undoing that. Better safe than sorry right?

// numbers (I expect very large numbers)
function intfix($i)
{
   $i = preg_replace('/[^\d]/', '', $i);
   if (!strlen($i))
      $i = 0;
   return $i;
}

// escape non-numbers
function textfix($value) {
    $value = mysql_real_escape_string($value);
    return $value;
}

XSS preventing:

Input - filters user submitted text, like posts and messages. As you see it's currently empty. Not sure if strip_tags is needed.

Output - on all html outputs

function input($input){
    //$input = strip_tags($input, "");
    return $input;
}


function output($bbcode){

$bbcode = textWrap($bbcode); // textwrap breaks long words
$bbcode = htmlentities($bbcode,ENT_QUOTES,"UTF-8");
$bbcode = str_replace("\n", "<br />", $bbcode);

// then some bbcode (removed) and the img tag
$urlmatch = "([a-zA-Z]+[:\/\/]+[A-Za-z0-9\-_]+\\.+[A-Za-z0-9\.\/%&=\?\-_]+)";

$match["img"] = "/\[img\]".$urlmatch."\[\/img\]/is";
$replace["img"] = "<center><img src=\"$1\" class=\"max\" /></center>";

return $bbcode;
}

I included the img tag because it could be vulnerable to css...

What do you think? Anything obviously wrong? Good enough?

Looks ok, but you could easily make one function for both texts and ints, checking first its type, and act on it.