i'm trying to create a very simple form on my site to handle user-inputted data. i have an html file with a simple form in it, which submits a piece of text to a php file for processing. Code: <form action="page2.php" method="post"> <input type="text" name="data"/> <input type="submit" value="Submit"/> </form> before doing anything at all with the user-inputted text, i replace all non-alphanumeric characters with blank spaces. Code: $x = preg_replace("/[^a-zA-Z0-9\s]/", " ", $_POST["data"]); so my question is, does this method effectively prevent all possible xss attacks on the php file? would be awesome if someone experienced in white hat hacking could offer their perspective on this
based on my experience, your it's method is very effective. because not only you don't allow html tags, but also characters which could be used for scripting (ie. ;
and btw, use single quote instead of double quote when you don't need string processing. it's faster. eg. 'Hello world!' instead of "Hello world!". or "Hello world!\n" --> \n will be processed as new line.