Menu
Does this depend on if the input is going to be printed to the user? In my case I need to return the input back to the user (comments and bio).
Thanks!!!
590
Use the PHP htmlspecialchars() function to convert special characters to HTML entities. Always escape a string before displaying it on a webpage using the htmlspecialchars() function to prevent XSS attacks.
The strip_tags() function is an inbuilt function in PHP which is used to strips a string from HTML, and PHP tags. This function returns a string with all NULL bytes, HTML, and PHP tags stripped from a given $str. Syntax: string strip_tags( $str, $allowable_tags )
htmlspecialchars() is enough to prevent XSS.
Strip tags removes tags but not special characters like " or ', so if you use strip_tags() you also have to use htmlspecialchars().
If you want users' comments to be displayed like they typed them, don't use strip_tags, use htmlspecialchars() only.
150
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
