I've been trying to find a good way to filter and sanitize form data in PHP without using one a framework. The closest I've found is this: http://php.net/manual/en/book.filter.php But I haven't found many examples of code that uses it. Has anyone here used the built in filter and sanitize functions? Is there a better way to go about filtering data?
Here is one from an open source script: <?php $disalowedtags = array ( 'script', 'object', 'iframe', 'image', 'applet', 'meta', 'form', 'onmouseover', 'onmouseout' ); foreach($_GET as $varname) { foreach($disalowedtags as $tag) { if(eregi('<[^>]*' . $tag, $varname)) { #header("Location: $site_url"); #die(); $threat = TRUE; } } } foreach($_POST as $varname) { foreach($disalowedtags as $tag) { if (eregi('<[^>]*' . $tag, $varname)) { #header("Location: $site_url"); #die(); $threat = TRUE; } } } ?> Code (markup): You can add any html/javascript/php functions or words that may cause harm to your website in the array $disalowedtags. If you will be entering the values into a MYSQL database make sure and escape it with the function mysql_real_escape_string. Example: $string = mysql_real_escape_string($_POST['string']); $string = mysql_real_escape_string($_GET['string']); Code (markup): OR one that handles ALL superglobals could be <?php //This stops SQL Injection in POST vars foreach ($_POST as $key => $value) { $_POST[$key] = mysql_real_escape_string($value); } //This stops SQL Injection in GET vars foreach ($_GET as $key => $value) { $_GET[$key] = mysql_real_escape_string($value); } ?> Code (markup):