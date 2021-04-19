Currently I am using
trim,
stripslashes and
htmlspecialchars to sanitise string data from forms. The data is being forwarded to clients in emails, not entered into a database.
I am considering changing to use just:
filter_var($str, FILTER_SANITIZE_STRING).
I quite like that
FILTER_SANITIZE_STRING completely removes any HTML tags whereas with
htmlspecialchars my clients would see some gobbledygook in received emails and would still see the code within HTML tags.
It’s puzzling as to why use of PHP filters to sanitise strings is not more frequently recommended. Is using
FILTER_SANITIZE_STRING sufficient?