Michael Fabbro
Software & Web Development
Software & Web Development
Forms provide a really good way for a hacker to try and fiddle with the internal ‘gubbings’ of your PHP code both in a normal PHP software development situation and customising WordPress with PHP.
The following functions allow a PHP developer to clean up the form’s data before they start to process it with their PHP code.
Typically you can cascade the piece of data from the form through these functions.
$formvalue = trim($formvalue);
$formvalue = stripslashes($formvalue );
$formvalue = htmlspecialchars($formvalue );
They can obviously be nested into one line for brevity:
$formvalue = htmlspecialchars(stripslashes(trim($formvalue)));
Using the above will remove characters such as space, tab and newline. It will then take out any ‘\’ characters. Finally any html tags are neutralised by characters such as <> being replace by their respective PHP escape codes. For example: > for the greater than symbol >.