Escape output

Just like input data, all output data must also be filtered, even when you're getting "safe" data from a database (which has already been through your input filter). The same variables I just talked about should also be filtered before displaying them.

The most important thing to filter out is HTML tags, as they can cause a lot of damage. The easiest way to do this is with the htmlentities() function which automatically escapes all the HTML, like so:

This code immediately removes any possible Cross-Site-Script attacks, whereby an attacker could inject JavaScript into your pages, and steal cookies from other users. If it's possible, you should also use the third argument of the htmlentities function, which is the encoding/charset type. Even Google isn't immune to security exploits, as they forgot to use the appropriate encoding when escaping HTML, causing a XSS attack. Read more about this exploit on Chris Shiflett's blog, but basically you should always set the encoding type:

If you don't want to escape all HTML tags, but want to allow a few tags you can use the strip_tags() function, but be aware that this could lead to security problems with regards to JavaScript being injected into your pages, even if you disallow the