Forms provide a really good way for a hacker to try and fiddle with the internal ‘gubbings’ of your PHP code both in a normal PHP software development situation and customising WordPress with PHP.
The following functions allow a PHP developer to clean up the form’s data before they start to process it with their PHP code.
- trim –
- stripslashes
- htmlspecialchars
Typically you can cascade the piece of data from the form through these functions.
$formvalue = trim($formvalue);
$formvalue = stripslashes($formvalue );
$formvalue = htmlspecialchars($formvalue );
They can obviously be nested into one line for brevity:
$formvalue = htmlspecialchars(stripslashes(trim($formvalue)));
Using the above will remove characters such as space, tab and newline. It will then take out any ‘\’ characters. Finally any html tags are neutralised by characters such as <> being replace by their respective PHP escape codes. For example: > for the greater than symbol >.
