Help filtering out HTML and script tags.

Question

I have my first fully functioning php website almost ready to go live except I haven't allowed for filtering out HTML and script tags from my forms, form fields and urls.

User input has been validated to match my criteria, values are escaped before database entry.

I was generally considering using preg_match against different regex to filter HTML and script tags, and some of my forms already have this in place on validation (all php) but for the rest of the filtering I have some queries, concerns and questions regarding php filter_var for sanitization.

Firstly:

My free text fields need work.

I need to allow users to be able to type a description with the use of general punctuation.

Would this work: (not sure if the regex is right and if this is the best way to approach the filtering)

// if isset Post textfield

// allow only letters, numbers, general punction and limit to 265 chars

$check = "/^[a-zA-Z0-9\s.,-] {1-265}$/"

if (preg_match (&check, $_GET['textfield'])) {

// allow

} else {...

Or is there a better way to do this with filter_var, would this allow users to type what they needed and just remove anything that is a threat, such as:

// if isset Post textfield

$var = $_POST['textfield']

(filter_var($var, FILTER_SANITIZE_STRING));

// then check matches my criteria

// if ok enter into database

Secondly:

On urls where variables are passed is it enough to filter the variables using one of the above methods, this would actually only be using a check for numbers or letters for my variables (not punctuation). Or again is there a better way to do this with the filter_var : OR am I misunderstanding the filter_var function, it seems to be too easy does it really get rid off all the bad stuff.

if(isset($_GET['var1'])) {

(filter_var($var1, FILTER_SANITIZE_URL));

}

// then continue with code

Finally again regarding url, even if variables are not passed when a page is loaded should I be checking that the url is just the url? And how would I do this? Using filter_var?

As always any help is much appreciated.

Thank you in advance.

David_Powers · Accepted Answer

Since the information is coming from the $_POST and $_GET arrays, use filter_input().

If you're checking $_POST['textfield']:

$sanitized = filter_input(INPUT_POST, 'textfield', FILTER_SANITIZE_STRING);

$sanitized contains the string stripped of all tags.

If you're checking var1 passed through the $_GET array:

$clean_var1 = filter_input(INPUT_GET, 'var1', FILTER_SANITIZE_STRING);

Sign up

To post, reply, or follow discussions, please sign in with your Adobe ID.

Sign in to Adobe Community

To post, reply, or follow discussions, please sign in with your Adobe ID.

Scanning file for viruses.

This file cannot be downloaded