Thread: protecting text in a form text area

Hi, a question for php experts

I have a simple form where people can enter details, then later they can retrieve and amend it with a password through the same form. The form contains a few textareas.

Currently to clean the text I use

$entered_text = nl2br($entered_text);
$entered_text = strip_tags($entered_text,"<br>");

This seems to work OK but occasionally it gets confused and loses all the <br> so everything gets turned into one paragraph.

Is this code enough to protect against malicious users when they find the form? Is there a better way to handle things? I think I'm maybe missing the obvious but have searched everwhere for a 'standard' script and can't find one.

Cheers!

User input is hell. Look at all the filters Markus Breitenbach puts strings through to protect against various attacks: A Safe String Solution for better PHP Security in Applications

Err that's about 5 light years beyond me, and it still ends with 'Probably it would require "fixing" various database abstraction layers and template-engines to get this all into some usable state.'

I'd been looking at autop() from New Lines to Paragraphs — Matt Mullenweg, looks like the kind of thing I'm after but it didn't work straight off and I can't work out all the regular expressions (and would prefer not to have to try).

All entry on my form gets checked before the entry goes live so I hoped that reduced the need for checks a bit?!