0

I´ve a doubt about SECURITY linked to POST data in PHP.

The context:

I´ve several input (text, email, radio) and some textarea. EG

<input type="text" name="entries[]"> /* Input ARRAY */

<input type="text" name="username"> 

<textarea name="message[]">...</textarea> /* Textarea ARRAY */

What I´m doing is sending all the values to the *.php page and then, I print all of them EG

if($_POST)
{
$entries = htmlspecialchars("$_POST['entries']", ENT_QUOTES);
$username = htmlspecialchars("$_POST['username']", ENT_QUOTES);
$message = htmlspecialchars("$_POST['message']", ENT_QUOTES);

echo $username;
echo...
echo...
}

I do not know too much about security. Is it ok JUST with htmlspecialchars...? Or Have I to use other functions?

The data is JUST to print with echo on the *.php page (no MYSQL)

And yes, my doubt is about the cide that the user can put on each INPUT, because I don´t want to limitate their contents just to text or numbers, or similar.

Thanks.

chris85
  • 23,846
  • 7
  • 34
  • 51
Tom
  • 91
  • 9

1 Answers1

3

You need to loop over the arrays.

$entries = array_map('htmlentities', $_POST['entries']);
$username = htmlentities($_POST['username']);
$message = array_map('htmlentities', $_POST['message']);

or to include ENT_QUOTES you can use:

$entries = array_map(function($x) {
    return htmlentities($x, ENT_QUOTES);
}, $_POST['entries']);

and similarly for $message.

Barmar
  • 741,623
  • 53
  • 500
  • 612
  • 1
    Think it should have quotes encoded as well, `ENT_QUOTES`. – chris85 Aug 27 '15 at 01:56
  • @Barmar Thanks a lot! One doubt... For variables with ENT_QUOTES is... htmlentities($_POST['username'], ENT_QUOTES); but for the array...? Thanks again! – Tom Aug 27 '15 at 21:13
  • I've added how you can use an anonymous function to give additional arguments like `ENT_QUOTES`. – Barmar Aug 27 '15 at 22:38