I am designing an basic ecommerce application, where I have a form to add product.
There are 2 text fields: product name, and description.
product name is input type="text", description is textarea
As user can input anything (worst case scenario), I want to remove all tags (no matter its PHP, HTML, JS, CSS, anything), so that I get just plain text (w/o any tags)
How can I achieve this? Basically, I need to sanitize string, so any to make it plain text
If you just want to rip out all tags from the user input, then you can use the strip_tags() function.
A better option would be to run the user input through HTML Purifier. It's a more complete clean.
I would suggest the strip_tags function, perhaps try something like this:
$cleaner_input = trim(strip_tags($input)); // trim is there for good measure
Make sure that you're also handling magic quotes, otherwise actual quote characters can become a problem and get backslashes before them (they are being depreciated but are still relevant in most hosting environments).
Keep in mind that strip_tags will keep text between tags, so would be somewhat of a problem for JavaScript/CSS but at least the browser will render it as pure text. Give a preview to the user that is entering the data and they will see that they messed up.
Hope that helps!
There is an easy way.
For versions of php<5.2.0 when we have to validate or filter user data, we normally use regex and/or complex php functions.
Some of those regex are difficult to understand/remember. So normally most of the coders search in google to collect the correct regex.
For php>=5.2.0 you can use filter_var.
