Sarfraz
2010-03-03 18:58:00
+1
A:
I would say that you don't have to strip any characters from your input, at least generally speaking.
Instead, you must escape your data :
- when sending it to your database
- see
mysql_real_escape_string,mysqli_real_escape_string,PDO::quote - or Prepared statements : MySQLi ; PDO
- see
- when sending it to the HTML output
- see
htmlspecialchars
- see
Still, if you allow users to input HTML, you should take a look at HTMLPurifier, to make sure they are not able to inject any malicious HTML code into your web-pages :
HTML Purifier is a standards-compliant HTML filter library written in PHP. HTML Purifier will not only remove all malicious code (better known as XSS) with a thoroughly audited, secure yet permissive whitelist, it will also make sure your documents are standards compliant
Pascal MARTIN
2010-03-03 18:58:30
“[…] to make sure they are able to inject any malicious HTML code […]” – Don’t you mean the opposite?
Gumbo
2010-03-03 19:11:59
@Gumbo : ouch ; of course I mean the opposite ;-) ;; I've edited my answer to correct than ;; thanks for your comment !
Pascal MARTIN
2010-03-03 19:14:27
htmlspecialchars can be dangerous for UTF-8 coded character sets
Sinan
2010-03-03 19:54:59
A:
Instead of sanitizing your data just use Prepared Statements for database interaction. PDOs eliminate the need of hand santizing all of your input yourself.
ssergei
2010-03-03 19:05:14