Whenever you’re printing user-input to a page – even something as simple as re-populating an input from a previous page via cookie – someone’s bound to try to exploit it.
Here’s a simple function to help sanitize user input:
function sanitize($html){
if(get_magic_quotes_gpc()){
$html = stripslashes($html);
}
$html = mb_convert_encoding($html, 'UTF-8', 'UTF-8');
$html = htmlentities($html, ENT_QUOTES, 'UTF-8');
return $html;
}
What is the use of the mb_convert_encoding function?
converts other encodings to (more predictable, easier to white- or black-list) UTF-8