Does anyone know any good functions for replacing characters with entities to prevent injection? Preferrably, I'd like to still allow bold, italics, and underline, as well as links. Right now I'm using this:


$str = ereg_replace(";", "%3b", $str);
$str = ereg_replace("&", "&", $str);
$str = ereg_replace("<", "&lt;", $str);
$str = ereg_replace(">", "&gt;", $str);
$str = ereg_replace("\n", "<br>", $str);
$str = ereg_replace('\\\"', "&quot;", $str);
$str = ereg_replace("\\\'", "'", $str);
$str = ereg_replace(",", ",", $str);
$str = ereg_replace(":", "%3a", $str);

$str = eregi_replace("&lt;b&gt;", "<b>", $str);
$str = eregi_replace("&lt;/b&gt;", "</b>", $str);
$str = eregi_replace("&lt;i&gt;", "<i>", $str);
$str = eregi_replace("&lt;/i&gt;", "</i>", $str);

Not so sure how to handle the anchor tag. Also, are there any other characters I should be replacing?

Thanks very much.

html_entities()Not so sure how to handle the anchor tag. Well how do you want to handle it?

Well how do you want to handle it?

Well, I mean I want to allow it to be used, but is there a way to do so that would still prevent compromising code from being used in the href?

Have a look at this (http://www.webdeveloper.com/forum/showpost.php?p=616126&postcount=2).

You could use strip_tags() (http://us2.php.net/strip_tags), entering a list of allowed tags in its 2nd parameter.