Cleaning Variables

Variables that are submitted via web forms always need to be cleaned/sanitized before use in any way, to prevent against all kinds of different malicious intent.

Technique #1

function clean($value) {

       // If magic quotes not turned on add slashes.

       // Adds the slashes.
       { $value = addslashes($value); }

       // Strip any tags from the value.
       $value = strip_tags($value);

       // Return the value out of the function.
       return $value;

$sample = "<a href='#'>test</a>";
$sample = clean($sample);
echo $sample;


  1. User Avatar
    Permalink to comment#

    This is a good start, but it isn’t anywhere near as efficient as it needs to be in today’s PHP usage.
    Look into htmlspecialchars() and/or htmlentities(), stripslashes() and (for database users) mysqli_real_escape_string()

    Example usage:

    function clean($str, $entities = true) {
        // Strip user-added slashes
        $str = stripslashes($str);
        // Optional "overkill" - remove *all* backslashes
        $str = str_replace('\\', '', $str);
        // Strip tags
        $str = strip_tags($str);
        // If entities = true, make the string XSS safe (to a degree)
        if($entities == true)
            $str = htmlspecialchars($str);
        // Return the string
        return $str;

    I’d only recommend using that on output.
    If you’re submitting to a database (like posting a comment, for example), then escape your data!!

    // Assuming you're already connected to the database using procedural mysqli
    $_POST['user_posted_data'] = mysqli_real_escape_string($conn, $_POST['user_posted_data'];
    // Then query the database.

    Of course, I’d advocate PDO over mysqli_*() functions, as they automatically escape (for lack of a better description)

  2. User Avatar
    Permalink to comment#

    are there any solutions for todays php version?

Leave a Comment

Posting Code!

You may write comments in Markdown. This makes code easy to post, as you can write inline code like `<div>this</div>` or multiline blocks of code in triple backtick fences (```) with double new lines before and after.

Code of Conduct

Absolutely anyone is welcome to submit a comment here. But not all comments will be posted. Think of it like writing a letter to the editor. All submitted comments will be read, but not all published. Published comments will be on-topic, helpful, and further the discussion or debate.

Want to tell us something privately?

Feel free to use our contact form. That's a great place to let us know about typos or anything off-topic.