👀 Views: 236 💬 Answers: 1 📅 Created: 2025-06-10

php security input-sanitization PHP

I'm confused about I just started working with I've looked through the documentation and I'm still confused about I tried several approaches but none seem to work... Quick question that's been bugging me - I'm working with a frustrating scenario where using `filter_var` to sanitize data from an HTML form doesn't seem to work as expected. I'm on PHP 7.4, and I'm trying to sanitize user input from a contact form. The form includes a text field for a user's message. I'm using the following code to process the form data: ```php if ($_SERVER['REQUEST_METHOD'] === 'POST') { $message = filter_var($_POST['message'], FILTER_SANITIZE_STRING); // Further processing... } ``` However, when I submit a message containing HTML tags like `<script>alert('test');</script>`, the `$message` variable still contains those tags. I expected it to be stripped away. I also tried using `FILTER_SANITIZE_FULL_SPECIAL_CHARS`, but it didn't yield the desired outcome either: ```php $message = filter_var($_POST['message'], FILTER_SANITIZE_FULL_SPECIAL_CHARS); ``` Despite my attempts, the output remains the same. I've checked my PHP configuration, and `filter` extension is enabled. I’m also using the latest version of Chrome, and I've tested it in other browsers as well. Any insights into why `filter_var` isn't properly sanitizing this input? Is there a better approach to sanitize user input in this context? I want to prevent XSS vulnerabilities, so any help would be greatly appreciated! I'm working on a service that needs to handle this. I'm working on a service that needs to handle this. Any help would be greatly appreciated! This issue appeared after updating to Php LTS. Thanks for taking the time to read this!