Leaderboard

Too many people are obsessed with "filtering" bad inputs. You don't have to "filter" anything. You don't have to remove HTML tags. You don't have to remove SQL keywords. You don't have to strip quotes or backslashes. All you have to do is make sure that whatever the user typed doesn't screw around with what you're trying to do. Want to put it into HTML? Make sure it doesn't screw around with your HTML. Want to put it into SQL? Make sure it doesn't screw around with your SQL. Want to send it in JSON? Make sure it doesn't screw around with your JSON. And every single one of those situations has a simple, single best-practice solution: HTML? Use htmlspecialchars with ENT_QUOTES* and the correct charset. SQL? Use prepared statements. JSON? Use json_encode. That's it. No filter_vars or filter_inputs, no strip_tags, no regular expressions, nothing stupid like that. User wants to look cool and type <script> tags into their forum post? Go ahead and let them, because it'll just show up as plain and simple text. Like it just did now. * Only actually required if you are putting the input into an single quote-delimited tag attribute. Using double quotes for your attributes? Not outputting into an HTML tag? Then you don't technically need ENT_QUOTES.

... I finished reading. The [^\dX]+ is indeed very graceful, like a slinky dress. Very svelte. Exactly what I was hoping for. I'm disappointed that I didn't think of it or try it. There's no way I could have ever figured that out. In fact I won't even use it, it will make me mad every time I see it. I am starting to think PHP is like music, or genetics; your either born to be a Beethovin, or stuck for the rest of your life making Elevator music. Why couldn't I have figured that out!? Certainly not for lack of trying. ... Maybe I could have figured it out. Probably not. ...You should have made me try harder.