I have a PayPal IPN PHP file set up which assigns all of the IPN post contents variables to variables. This file is only 'hit' from paypal.com (ie nobody should know it's url).
My question is should I take the necessary steps to filter and sanitize the POST data from PayPal or is masking my IPN file name (IPN_082j3f08jasdf.php) enough?
Also, could somebody confirm my sanitize code? It's pretty basic. I run it on EVERYTHING sent via POST or GET and my goal is to prevent any kind of MySQL injections or whatever hackers do.
function filter($data){
// changes & to &
// changes " to "
// removes \ < >
$data = trim(htmlentities(strip_tags($data)));
if(get_magic_quotes_gpc()){
$data = stripslashes($data);
}
$data = mysql_real_escape_string($data);
return $data;
}