Richard Heyes takes more of a look at cleaning up user input on one of his latest posts over on his weblog.

Just been notified by Stephan Esser (I think anyway, ionic on IRC in #pear) that the dispelGlobals() function I posted a few days ago is potentially harmful. This is due to the function happily unsetting any variable which appears in the request, eg. _SERVER. Quite a bummer. In addition to that, there's a bug in PHP (now fixed) which means that $GLOBALS can be overwritten. Doubleplus bad. Fortunately these things are only exploitable if register_globals is on. Two lessons to be learnt from this are: