Strip out anything that can be interpreted by php
Strip out anything that can be interpreted by php. I only realised this myself a few days ago. Spammers were using my enquiry form and were putting php scripts into the actual text box. So use -
stripslashes()
strip_tags()
escapeshellcmd()
htmlspecialchars()
Those are php commands by the way.
I think that should do it.
|