sanitize string to make its content only to plain text

I am designing an basic ecommerce application, where I have a form to add product.

There are 2 text fields: product name, and description.

product name is input type="text", description is textarea

As user can input anything (worst case scenario), I want to remove all tags (no matter its PHP, HTML, JS, CSS, anything), so that I get just plain text (w/o any tags)

How can 开发者_StackOverflow中文版I achieve this? Basically, I need to sanitize string, so any to make it plain text

If you just want to rip out all tags from the user input, then you can use the strip_tags() function.

A better option would be to run the user input through HTML Purifier. It's a more complete clean.

I would suggest the strip_tags function, perhaps try something like this:

$cleaner_input = trim(strip_tags($input)); // trim is there for good measure

Make sure that you're also handling magic quotes, otherwise actual quote characters can become a problem and get backslashes before them (they are being depreciated but are still relevant in most hosting environments).

Keep in mind that strip_tags will keep text between tags, so would be somewhat of a problem for JavaScript/CSS but at least the browser will render it as pure text. Give a preview to the user that is entering the data and they will see that they messed up.

Hope that helps!

There is an easy way.

For versions of php<5.2.0 when we have to validate or filter user data, we normally use regex and/or complex php functions.
Some of those regex are difficult to understand/remember. So normally most of the coders search in google to collect the correct regex.

For php>=5.2.0 you can use filter_var.