Sanitize variable?

hello,

yesterday under shower I got the idea, that someone could do bad things on my site via some kind of injection technique.

What I have is textbox requesting some data which is than displayed on page, but there could be also inserted some unwanted javascript or html, so my question is, how do I “sanitize” the variables that contain data from textbox/textarea?

Thanks.

Your receiving script is unaware where the input came from, just that it is there. Start by determining what input (alpha numeric etc.) your application expects, then apply logic to ensure you only receive it.

Additionally, check out FIEO, the first two results by Chris Shiflett are an invaluable source of information and excellent starting point.

is there any php builtin function that can kill html/js from input?

There’s always [fphp]strip_tags/fphp. :slight_smile:

However, it doesn’t cover everything. Don’t rely on it.

it works well for html, but it doesnt work on javascript.

If you want to kill all formatting tags, use htmlspecialchars()
If you want to allow some HTML but restrict JavaScript, use http://htmlpurifier.org/
If you want to allow some HTML and some JavaScript, use http://htmlpurifier.org/ + http://code.google.com/p/google-caja/