It’s a question almost every PHP developer asks yourself. By me the most simple way to sanitize the user input is to save everything in the database with no loosing of tags or whatever HTML markup and than on displaying this on the client side to strip_tags if needed.
In example when saving a HTML formatted text you can use simply the htmlspecialchars method
$description = htmlspecialchars($_POST['description']);
Than you can be sure everything’s in the database, but it’s not actually HTML. Thus you don’t have any tags at all in the database field.
When you show this in the client side and you’d like to strip some tags, i.e. to keep only the <a> tag you can do this:
echo strip_tags(htmlspecialchars_decode($description), '<a>');
That’s the most simple way to keep everything as the original source. By me it’s better to keep whatever HTML markup there is on the input.
- How to Collect the Images and Meta Tags from a Webpage with PHP
- Automatically Upload Images with PHP Directly from the URI
- PHP if-else-endif Statements
- Wanted – onfocus/onblur. Why They Don’t Work Always!
- Iterate over YouTube Channel with Zend_Gdata_YouTube