Screening the text of an input form (examples being a Contact Form, Employment Application or Order Form) is an essential part to producing a client approved product without compromising the website due to PHP hackers.
We recommend developing a PHP library with commonly used functions. Our two favourites are shown below.
The first function cleans the input variable of white space and converts HTML specials commands to ASCII. This is important when you don't want people executing HTML commands within your input form. A must for any safe developer.
function clean_string($input_string) {
$result = trim($input_string); // Remove blank space
$result = htmlspecialchars($result, ENT_QUOTES); // Replace special characters with ASCII equivalents
return $result;
}
The second function converts the stored value (commonly retrieved from a MySQL database) to readable output.
function decode_string($input_string) {
$result = htmlspecialchars_decode($input_string, ENT_QUOTES); // Revert ASCII equivalents to original format
$result = nl2br($result); // Code in line returns
return $result;
}