Cleaning Variables

Variables that are submitted via web forms always need to be cleaned/sanitized before use in any way, to prevent against all kinds of different malicious intent.

Technique #1

function clean($value) {

       // If magic quotes not turned on add slashes.

       // Adds the slashes.
       { $value = addslashes($value); }

       // Strip any tags from the value.
       $value = strip_tags($value);

       // Return the value out of the function.
       return $value;

$sample = "<a href='#'>test</a>";
$sample = clean($sample);
echo $sample;


  1. Magictallguy
    Permalink to comment#

    This is a good start, but it isn’t anywhere near as efficient as it needs to be in today’s PHP usage.
    Look into htmlspecialchars() and/or htmlentities(), stripslashes() and (for database users) mysqli_real_escape_string()

    Example usage:

    function clean($str, $entities = true) {
        // Strip user-added slashes
        $str = stripslashes($str);
        // Optional "overkill" - remove *all* backslashes
        $str = str_replace('\\', '', $str);
        // Strip tags
        $str = strip_tags($str);
        // If entities = true, make the string XSS safe (to a degree)
        if($entities == true)
            $str = htmlspecialchars($str);
        // Return the string
        return $str;

    I’d only recommend using that on output.
    If you’re submitting to a database (like posting a comment, for example), then escape your data!!

    // Assuming you're already connected to the database using procedural mysqli
    $_POST['user_posted_data'] = mysqli_real_escape_string($conn, $_POST['user_posted_data'];
    // Then query the database.

    Of course, I’d advocate PDO over mysqli_*() functions, as they automatically escape (for lack of a better description)

Leave a Comment

Posting Code

We highly encourage you to post problematic HTML/CSS/JavaScript over on CodePen and include the link in your post. It's much easier to see, understand, and help with when you do that.

Markdown is supported, so you can write inline code like `<div>this</div>` or multiline blocks of code in triple backtick fences like this:

  function example() {
    element.innerHTML = "<div>code</div>";

We have a pretty good* newsletter.