I use this, Please can some one create a best way for me
[php]function html_filter($myVariable){
$var = strip_tags(trim($myVariable));
return $var;
}[/php]
What exactly do you want to achieve? Is this about incoming data? Outgoing data? And why do you think filtering helps you?
The code you’ve shown makes no sense. Not only does this provide no security whatsoever. It’s even harmful, because it silently mangles the input and leaves you with a mess of broken data. For example, the perfectly valid and completely harmless string “I just <3 PHP” will be turned into the nonsensical fragment “I just ”.
Manipulating user input is generally a very bad idea. When you process incoming data, just leave it alone and store it as is. If the input has to conform to specific syntax rules (e. g. it must be number), you may of course validate and reject it. But do not alter the input. When you process outgoing data, escape it for the specific target context. For example, the [tt]htmlspecialchars()[/tt] function will apply HTML-escaping so that the data can safely be used in (most) HTML contexts.
It took me a long time to get it in my pea head to never change incoming data (user’s input for example), but to never to trust it (Output that is). ;D The only thing I ever do is use the trim function to prevent people from accidentally (or purposely) putting in spaces in a field. Output is where you want to prevent users from doing the nasties. If you use prepared statements in your mysqli_ or PDO (My Recommendation) then 99.9 percent of time you’ll be OK.
An when you output user’s input to the screen then make sure you use htmlspecialchars or a 3rd party script that cleans output. You can even write a function to save you typing htmlspecialchars all the time -
[php]function html_escape($raw_input) {
// important! don’t forget to specify ENT_QUOTES and the correct encoding
return htmlspecialchars($raw_input, ENT_QUOTES | ENT_SUBSTITUTE | ENT_HTML5, ‘UTF-8’);
}[/php]
You should also consider using a template engine like Twig which supports automatic escaping. Doing it manually is fairly error-prone.
In addition to that, use Content Security Policy. This is an HTTP header which allows you to define a whitelist of trustworthy JavaScript sources. Modern browsers will then block all other scripts, making cross-site scripting attacks a lot more difficult. Ideally, you should avoid inline scripts altogether and load your own code from a separate domain via HTTPS (e. g. [tt]https://static.yoursite.com/scripts/foo.js[/tt]).
A short demo:
[php]<?php
const CSP_HEADER =
'Content-Security-Policy: ’
.“default-src ‘none’;” // blacklist everything by default
.‘img-src *;’ // images may be loaded from anywhere
.‘script-src https://static.example.com;’ // the only valid source for JavaScript code is now https://static.example.com
.‘style-src https://static.example.com;’ // the same for stylesheets
.“frame-ancestors ‘none’;” // disallow frames to prevent clickjacking attacks
;
header(CSP_HEADER);
?>
CSP test [/php]