Question : Sanitize input

Hi Experts.
Im working on some project and my obsession is to sanitize input data as much as possible.
Right now, Im using this to sanitize input data coming from login form.
Is there anything more to do to protect input data?
I cant see any security hole in this approach (particularly SQL injection and XSS attack).
What additional steps should I take when I need to sanitize input which can contain html data (like content of web page for example). Is this enough or do I need something more to do?
Thanks in advance.
 
1:
2:
3:
4:
5:
6:
7:
8:
9:
10:
11:
12:
13:
14:
15:
16:
17:
18:
19:
20:
21:
22:
23:
24:
25:
26:
27:
28:
29:
30:
31:
32:
33:
34:
35:
36:
37:
38:
39:
40:
41:
42:
43:
44:
45:
46:
47:
48:
49:
50:
51:
52:
53:
54:
55:
56:
57:
58:
59:
60:
61:

<?php
	session_cache_expire(30);
	session_start();
	header("Content-Type: text/html; charset=UTF-8");
	session_regenerate_id(true);
	
	//error_reporting(E_ALL); 
	//ini_set("display_errors", 1); 
	
	require_once("_conn.php");
	
	foreach ($_POST as $key => $value) {
		$$key = mysql_real_escape_string(stripslashes(htmlspecialchars(strip_tags($value))));
	}
	
	foreach ($_GET as $key => $value) {
		$$key = mysql_real_escape_string(stripslashes(htmlspecialchars(strip_tags($value))));
	}
	
	if( empty($_POST['token']) || $_POST['token'] != $_SESSION['token'] )
		header("Location: default.php?act=error");
		
	$valid_username = preg_match("/^[A-Za-z]\w{6,20}[A-Za-z_0-9]$/D",$username);
	$valid_password = preg_match("/^[A-Za-z]\w{6,20}[A-Za-z_0-9]$/D",$password);	
	
	if (!$valid_username || !$valid_password)
	{
		header("Location: default.php?act=error");
	}
	
	$password = SALT . $password;
	$password = sha1($password);
		
	$q = "SELECT * FROM administrators "
  	."WHERE username='" . $username . "' "
  	."AND password='". $password . "' "
  	."LIMIT 1";
 	
 	$r = mysql_query($q);
	
	if ( $obj = @mysql_fetch_object($r) )
	{
		// Login good, create session variables
		$_SESSION["nt_id_conn"] = $obj->idadministrator;
		$_SESSION["nt_id_username"] = $username;
		$_SESSION["nt_id_time"] = time();
		$_SESSION["nt_ip"] = $_SERVER["REMOTE_ADDR"];
		
		// Redirect to member page
		header("Location: main.php");
	}
	else
	{
		// Login not successful
		header("Location: default.php?act=error");
	}
	
	//unset($_SESSION['token']);
	
	session_write_close();
?>

Answer : Sanitize input

you may ping staging server's url
Random Solutions  
 
programming4us programming4us