Validate a GET string but still use special characters?

One of my GET variables allows for all the characters that can mess up a URL by开发者_开发百科 urlencoding them. Trouble is that means tags can be passed to the script and displayed in the html, not good! Especially since it gets used to run a SELECT on a mysql db.

So what I'm using at the moment is a hashed together preg_replace that strips out any tags (below)

$getstring = preg_replace("/(<\/?)(\w+)([^>]*>)/e","", $getstring);

Is this sufficient or is there a gapping big hole I've missed?

htmlspecialchars() will allow special characters to be displayed. HTML tags will be shown as normal text (i.e. escaped) so if anyone has too much time, you can see what they've tried. If you want to filter some tags after that, use the previous attempts to guide you.

If you want to allow some formatting, use strip_tags with a whitelist to allow some basic tags. Alternatively, a markup language such as Markdown(used here) or ReMarkable might be useful, depending on the user's technical level.

It sounds as if you're vulnerable to SQL Injection, too. You should be using parametrised queries wherever possible, using mysqli (the question has the mysql-query tag) or PDO. PDO::prepare() should get you up to speed on this.

Try using: http://www.php.net/manual/en/function.htmlspecialchars.php