Adding security: cleaning up user input



Astafas, thanks for your post. It's a good start on cleaning up user input. However, PHP already has a built-in function that is more or less equivalent to your strip_html() function. It's called htmlspecialchars(). You also might want to check out the strip_tags() function.

Concerning your clean() function, it seems a little.. overzealous. Limiting the length of a string is good to avoid letting a long string of letters with no whitespace, for example, break your layout, but there's no sense in arbitrarily chopping of a string at length X if there are spaces (assuming you wish to allow the text to wrap). The documentation page concerning the wordwrap() function has some discussion concerning a better way to do this (scroll down to comments and read, starting from the bottom, and pay particular attention to notes concerning HTML and URLs if such things concern you).

Anyway, perhaps the biggest vulnerability to be addressed is the register_globals issues. The best way to avoid that is to a) turn off register_globals!, and b) always initialize your variables before you access them, and use === where appropriate (so PHP knows the difference between unset and false, and also between true and "x" or "1" or "array(1, 2, 3)").