Home/ Questions/Q 7702001
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-31T23:07:33+00:00

I am trying to make sure all my inputs are secure, protecting the server

  • 0

I am trying to make sure all my inputs are secure, protecting the server and XSS attacks. Is validating input with strip_tags and htmlentities a fool proof system? I have been told it was and would like to confirm. ie for example:

$re = htmlentities(strip_tags($_GET['re']), ENT_COMPAT, "UTF-8");

this should prevent any linux commands and any html links correct? are there any vulnerabilities that havent been considered with this?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    This is not at all what htmlentities is for. Use htmlentites to encode your output before it is sent to the browser. It has nothing to do with sanitizing input. The only thing you need to worry about when processing input is properly escaping data being interpolated into SQL queries to prevent SQL injection. See PHP Data Objects for more on that.

    strip_tags is debatably useful here, but you don’t need to use both strip_tags and htmlentities. The whole purpose of htmlentites is that it prevents the tags from being interpreted. The only correct way to think about this is: Preserve the content the user entered and render it safe. Don’t strip their tags, just encode them so they appear as they were typed. Otherwise you wind up stripping things like <sarcasm> and <rant> tags. The intent of the user was not to inject HTML.

    “Linux commands” have nothing to do with HTML. There is no way to execute arbitrary Linux commands through HTML/script injection.

    What i have in mind is something such as “;ls -la”

    If you are actually taking user-supplied input and executing it via system or something in that vein, you are already in trouble. This is a terrible idea and you shouldn’t do it.

    </rant>

    • 0