Comments on: Escaping and sanitizing user input in PHP

By: Greg

Greg — Mon, 23 Jan 2012 18:12:45 +0000

Can you elaborate more on why you should not use strip tags? Perhaps a link with more information?

By: Kremchik

Kremchik — Wed, 27 Apr 2011 15:37:36 +0000

Nice article! I suppose there is a misprint in “MySQL database queries” section: - just ‘=’ is missing.
And how do you think, may be htmlspecialchars() is better than htmlentities()? There is a problem with htmlentities() if there are non-latin characters in the string.

By: ElbertF

ElbertF — Sat, 24 Jul 2010 04:15:41 +0000

I always do, didn’t know it was exploitable though.

By: svenn

svenn — Fri, 23 Jul 2010 12:17:35 +0000

Great post. If I read correct I should always use header() to encode UTF-8 when using UTF-8 on output aswell ? (to protect from http://shiflett.org/blog/2005/dec/googles-xss-vulnerability) ?