This is a very
good practice and secures your scripts better if you strip the use
of HTML tags from user input.Lets just say you have a form that lets your users make a post to your site. By default they could post something like this instead of text:
<IFRAME SRC="http://google.com" WIDTH=450 HEIGHT=100>
</IFRAME>
So to keep that from happening you need to do the following with the input from the us
PHP Code
Example:
<?
// $post is the variable that holds the
user input from your script
$post
= $_POST['post']; // Put input into the variable
$post
$post_text
= htmlspecialchars($post);
// Now $post_text
holds the input with the HTML stripped out
?>
Note:
htmlspecialchars doesn't actually take the html out, it just don't
run the code, instead just displays it
The users post would now print this to the screen instead of executing the HTML:
<IFRAME SRC="http://google.com" WIDTH=450 HEIGHT=100>
</IFRAME>
If you done a view source on the html you would see this:
<IFRAME SRC="http://google.com" WIDTH=450 HEIGHT=100>
</IFRAME>
The users post would now print this to the screen instead of executing the HTML:
<IFRAME SRC="http://google.com" WIDTH=450 HEIGHT=100>
</IFRAME>
If you done a view source on the html you would see this:
<IFRAME SRC="http://google.com" WIDTH=450 HEIGHT=100>
</IFRAME>
