Variables that are submitted via web forms always need to be cleaned/sanitized before use in any way, to prevent against all kinds of different malicious intent.
Technique #1
function clean($value) {
// If magic quotes not turned on add slashes.
if(!get_magic_quotes_gpc())
// Adds the slashes.
{ $value = addslashes($value); }
// Strip any tags from the value.
$value = strip_tags($value);
// Return the value out of the function.
return $value;
}
$sample = "<a href='#'>test</a>";
$sample = clean($sample);
echo $sample;
This is a good start, but it isn’t anywhere near as efficient as it needs to be in today’s PHP usage.
Look into htmlspecialchars() and/or htmlentities(), stripslashes() and (for database users) mysqli_real_escape_string()
Example usage:
I’d only recommend using that on output.
If you’re submitting to a database (like posting a comment, for example), then escape your data!!
Of course, I’d advocate PDO over mysqli_*() functions, as they automatically escape (for lack of a better description)
are there any solutions for todays php version?
thanks