Tag Archives: Output

Escape Output

• One of two fundamental security rules: (1) filter and validate all input; (2) escape output

• Always escape outside data unless previously filtered

• Typical output formats that require escaping when containing user data: html, json, sql

•  Never rely on client side (javascript) filtering

• Functions used to escape data before outputting within html: htmlspecialchars() htmlentities() strip_tags()


This function will turn output buffering on. While output buffering is active no output is sent from the script (other than headers), instead the output is stored in an internal buffer.

The contents of this internal buffer may be copied into a string variable using ob_get_contents(). To output what is stored in the internal buffer, use ob_end_flush(). Alternatively, ob_end_clean() will silently discard the buffer contents.

 function callback($buffer) {
 return (str_replace("PHP", "PHP Codez", $buffer));
 <p>Welcome to PHP</p>

The output will be Welcome to PHP Codez