I am creating a function that validates text input by a user. As I have various uses for the input text I would like the function to cover as many areas as possible in regards to the security concerns of letting a user input text on any part of a website. I currently make use of various peices of code that validate the various inputs as required and am trying to consolidate the security part of this into one function and the regex (email, tel, password validation) into another that can be used throughout the website.
I have a question relating to this.
I use this bit of filtering in order to clean user input when checking the input against info in the database:
$find = strtoupper($find);
$find = strip_tags($find);
$find = trim ($find);
$_SESSION['find'] = $find;
$keywords_array = explode(' ', $find);
If I use strip_tags does it make sense to validate the input like this prior to the filtering applied above:
if (preg_match("#\bscript\b#",$_POST['search']))
{
// Get user ip
// Log client details to DB
$GLOBALS['errorFocus'] = "autofocus class='thisInputIsError'";
$GLOBALS['searchError'] = '<p>Your IP has been logged!</p>';
}
If so, what other tags should i be watching out for?
Also what other things should I be watching out for in general in regards to the function I am trying to put together?
Any links to some GOOD tutorials that cover this would be great too :)
Thank you!
scripttag into page variables may not be a hacker (e.g. they may be following a malicious link). Record their IP by all means, but just throw a nice 404 or redirect to your homepage.