Stop parsing

[jaymc]

I have a profile system on my website which allows members to fill in fields with data

For example

[b]First name = Jamie[/b]

But, what happens when you get a scripty who comes along and does this

[b]First name = <? echo "HI"; ?>[/b]

It screws up the page... I need a way to stop it from parsing

I have found a tag called [b]<xmp> [/b] which does actually work for both HTML and PHP suprisingly

Im just wondering if this is the proper way to go about protecting my site from code injection.

If it is, do I have to wrap <xmp></xmp> around any dynamic data a member can submit

Thanks

[trq]

First name = <? echo "HI"; ?> should not effect your page unless you are using [url=http://php.net/eval]eval[/url] in some evil way.

In any case, just strip unwanted chars from the string.

[jaymc]

Im not using eval, but it is still causing problems

So, the professional way to go about this is to basically to

str_replace() any occurances of
[b]<?
<?php
?>[/b]

[printf]

Instead of removing stuff, just make it safe!

[code]htmlentities();
// or
htmlspecialchars();[/code]

me!

[jaymc]

So basically put that when ever echoing out any piece of data that is coming from the users fields?