Quick security improvements for your PHP code

When accepting input from users in your web application, there is always the chance that the user will key in some code that causes errors ranging from the cosmetic to the malicious.

One of the most common cosmetic errors is when the user formats everything nicely in a <textarea> but all the formatting is lost when it is redisplayed. This can usually be easily solved by using the nl2br() function where all the new lines in the user’s input is converted to HTML-friendly <br /> tags.

To guard against malicious code such as when users try a cross-site scripting attack or inject some HTML that can seriously screw up your web page, you should clean up the input by using the htmlspecialchars(), htmlentities() or strip_tags() (arranged in ascending order of “paranoidness”) functions depending on your requirements.

Leave a Reply

Your email address will not be published. Required fields are marked *