Security it is important, really important.
Here you can find an script that prevents the POST method of receiving code injection, not html, JS …
UPDATED: New code
function clean($var){//request string cleaner
if(get_magic_quotes_gpc()) $var=stripslashes($var); //clean
$var=mysql_real_escape_string($var); //clean
return strip_tags($var, '');//returning clean var
}
function hackerDefense(){//thanks to Allen Sanford
// begin hacker defense
foreach ($_POST as &$postvalue){ //checking posts
$postvalue = clean($postvalue);//cleaning the value
}
} // end hacker defense
OLD CODE: Don’t use this!!!
Simple but effective.
function hackerDefense(){
// begin hacker defense - Thanks Kreuznacher | wurdzwurk
foreach ($_POST as $secvalue) {
if ((eregi("<[^>]*script.*"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*object.*"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*iframe.*"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*applet.*"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*window.*"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*document.*"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*cookie.*"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*meta.*"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*style.*"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*alert.*"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*form.*"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*php.*"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*]*>", $secvalue))) {
die ("There was a problem with your post. Please do not include code.");
}
}
// end hacker defense
}
Hacker defense – Thanks Kreuznacher | wurdzwurk
To use it just call the function at the beginning of your script.