I’ve read up on SQL Injection, XSS and other security issues and am trying to figure out what to use to safeguard the company’s site.

We are about to deploy a simple ‘User feedback’ form with a textarea so users can tell us how to improve the site to enhance their user experience.

When the user pushes ‘submit’ on the form, we read the textarea comments from the user, and then programmatically create a filename in that user’s subfolder and save their comments to a file. Then we add the filename and path to that user’s database record.

The team is not worried about security issues here but I am. Their thinking is “we create the filename, it is 0% based on any user input, and since we write this ‘UserX comments’ filename and path to the database with no direct user influence — there is no risk.”

My concern is NOT the database activity — because they’re right, the user has no role in WHAT we write to their database record since we’re just creating our own filename and storing it in their db record.

My concern is the text file!

So I’m petitioning our small team to rewrite the code to use security to read then write the user’s comments in the textarea to the text file.

My concern is — since we plan to actually READ our user’s feedback and open these text files to read them later on — there might be bad stuff in the textarea that (unless we clean it) could hurt us somehow.

I’m insisting we use strip_tags() but I need to sound informed about the manner in which we sanitize the textarea input — I’m thinking strip_tags() is the way to go here but I’m 100% new to sanitizing user input. I looked at htmlspecialchars() but that just converts certain characters like ‘&’ to &
and so forth.

Are there other ways to santize/make safe any text the user types into a textarea before we write it out to a file on our web server?