Filtering input and strip_tags?

[deerly]

Hello!

 

I am currently working on a project that is unable to use the handy-dandy filter_var functions because it is using an older version of PHP5.

 

Obviously I still want to filter the input but I don't want to make things slow with a complicated regular expression if I don't have to.

 

This is actually something that's always confused me -- how would you want to go about filtering a block of text that should be able to use punctuation including single and double quotes?

 

Would strip_tags be a good enough filter for a title and block of message text to be safe but still allow the user to freely use punctuation or is this too easily exploited?

 

Thanks for any ideas and insight that I am missing!

[genericnumber1]

htmlentities is one of my favorites.

[deerly]

??? Isn't that something you would use to escape output? At least that was my impression. I'm just trying to filter the input. Sorry if I am confused!

[genericnumber1]

If by filter, you mean strip things you don't like, yes, it doesn't filter. I typically avoid doing such a thing on input that doesn't need to meet specific restrictions. For instance I will be specific with characters in a username, password, etc, but I wouldn't filter a user's post to his blog. Sometimes people like to use things that could qualify as "scary" to an algorithm, for instance mathematic inequalities (5 > 4 > 3) could scare some html stripping algorithms. I don't expect my user to know HTML, so I don't expect them to know how to avoid posting strings that look like html. If they want to post something like... [pre]<a href="candy.jpg"></a>[/pre] Sure, I'll let them do it, but it's also sure as hell going to end up being... [pre]<a href="candy.jpg"></a>[/pre] ...once it is sent to other users.