John W. HolmesTroy S wrote:What is the best way to remove the characters from strings that may cause security problems? Namely, `, ', ", <, >, \ and all non-printing strings. Did I miss any? Thanks.
Why do you need to remove them? So I can't type <grin>? Is that a security violation? All you need to do is use htmlentities() and/or addslashes() to protect data being displayed or entered into a database.
If you're worried about HTML code being entered (guess from desire to strip <, > and /) and messing up your site's layout, you might wanna call strip_tags($String, $AllowedTags); where $AllowedTags is a string like '<b><u><i>' if you want to allow bold, underline and italics.
You could do this if you want to allow cross site scripting vulerabilities on your site:
Hello <b onmouseover="alert('hi');">you</b>.
And prevent such evil text as "<grin>" or "<foo>"...
-- ---John Holmes...
Amazon Wishlist: www.amazon.com/o/registry/3BEXC84AB3A5E/
php|architect: The Magazine for PHP Professionals – www.phparch.com
-- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
