This question already has an answer here:
** Update - following the link that deceze kindly posted to a similar question lead me to a great article by deceze here The Great Escapism which gave me all the answers I needed. To anyone finding this question due to similar issues I urge you to read this article **
I'm allowing users to enter information through a textarea on my site.
I'm aware that there is a security risk whenever a user can enter information into a site.
I want to be able to preserve whitespace / newlines from their entry but I'm also mindful of stripping HTML tags etc out of their input.
I have written a function that replaces with <br/> before the data retrieved from the database gets outputted to the browser (I also stripslashes before I output to the browser).
I have a function that will strip out HTML tags from the entered text that I can run before putting the user entry into the database.
I'm unsure if this is all that I need to do? Does anyone have either a list of checks I need to do before putting user-entered info into the database and then before displaying it in a browser? Or even a set of sanitising functions that they use for this?
I've looked at esc_html() and sanitize_text_field() and filter_var($output, FILTER_SANITIZE_STRING, FILTER_FLAG_NO_ENCODE_QUOTES) but I'm really unsure when I should be using what function?
Help much appreciated :-)
</div>
You can use mysql_real_escape_string() to prevent sql-injection. You can find a good basic tutorial here