Ok. So the blatantly obvious solution is strip_tags($_POST) and strip_tags($_GET), but I have a feeling that doing that may well do something to the arrays I don't want to happen and cause very hard to track down bugs later in the apps life or just not work at all.

Is it as simple as that? If not, what would you suggest? foreach is useless because it never works on the array its self.

foreach($_POST as $key=>$value)
{
$_POST[$key] = strip_tags($_POST[$key]);
}

However, per the strip_tags() documentation (http://www.php.net/manual/en/function.strip-tags.php):
Because strip_tags() does not actually validate the HTML, partial, or broken tags can result in the removal of more text/data than expected.

Aye. I read that but I'm not worried about it. I'm only stripping php and html from places it shouldn't be in the first place, so if the page doesn't work for someone that is up to no good then it's just an acceptable side effect to me. So redefining the $_POST[$key] array like that won't cause it to misbehave? I just always stayed away from trying to alter anything that starts with an underscore incase I broke it. :eek:

The $_POST and $_GET arrays are just the stuff the calling page sent. It's no more dangerous modifying them than most any other array. (I'd be a bit more cautious about messing with something like the $_SERVER array. :) )

$_NICE_ONE[':D'];