How can I stop users entering <?php ?> into my forms.
I am using urlencode() and then using urldecode() when echoing data onto my page what is the best thing to do??
UPDATE:
I am writing to the database with the text urlencoded:
htmlentities (urlencode($_POST['postmessage']));
I am using:
<?php echo htmlentities (urldecode($row['content'])) ?>
to echo the saved data. Is that enough??
I would suggest you to use the HTML Purifier for that:
HTML Purifier is a standards-compliant HTML filter library written in PHP. HTML Purifier will not only remove all malicious code (better known as XSS) with a thoroughly audited,
secure yet permissive whitelist, it will also make sure your documents are standards compliant, something only achievable with a comprehensive knowledge of W3C's specifications.
Well, you can get rid of all the characters that don't belong in a URL
$var = filter_var($url, FILTER_SANITIZE_URL);
Then you can check that it is a valid URL
$var = filter_var($url, FILTER_VALIDATE_URL);
if($var == false)
die("Bad URL");
what are you doing with the code? execute it? when you echo the php code theres no need to worry server side... you rather want to do html_entity_encode to keep your website from beeing fucked or beeing injected by iframes/javascripts by user posts