sanitize input

[n00bl337]

I would like to sanitize input from users so when it's pulled out of the database and stuck into the page, they can't add malicous code to my page.

I have heard of striptags but wonder if there is anything better.

 

thanks

 

[Psycho]

It all really depends on how you are going to use the data. You *can* allow the user to input anything and still prevent SQL injection, cross site scripting, and just plain old HTML display issues.

 

When saving the data to the database you should always be escaping the input to prevent SQL injection. For MySQL databases you would use mysql_real_escape_string().

 

When you display the input (if you don't restring the input) you could use htmlenteties() or htmlspecialcharacters() to escape characters that would cause problems in the rendered HTML. You would use strip tags if you really, really don't want the user to input that data.

 

For example, if I put <b>text</b> in this forum post it will not display as bold text. The tags are still being saved to the database, but it is being escaped so it will not be rendered as HTML tags.