Whenever you’re printing user-input to a page – even something as simple as re-populating an input from a previous page via cookie – someone’s bound to try to exploit it.
Here’s a simple function to help sanitize user input:
1 2 3 4 5 6 7 8 |
function sanitize($html){ if(get_magic_quotes_gpc()){ $html = stripslashes($html); } $html = mb_convert_encoding($html, 'UTF-8', 'UTF-8'); $html = htmlentities($html, ENT_QUOTES, 'UTF-8'); return $html; } |
What is the use of the mb_convert_encoding function?
converts other encodings to (more predictable, easier to white- or black-list) UTF-8