1-i have a form which has name family email birthday(which is a select) and gender which is two diffrent radio buttons one for male and another one obviously is for female.
now please can someone explain me how to prevent xss attacks on this fields in php?
my form data is like this
<form action="register.php" method="post">
<div>
<table>
<tr><td><?php echo $lang['5']; ?> :</td><td> <input type="text" name="name" maxlength="254" class="required" /></td></tr>
<tr><td><?php echo $lang['6']; ?> :</td><td> <input type="text" name="family" maxlength="254" class="required" /></td></tr>
<tr><td><?php echo $lang['59']; ?> :</td><td> <input type="text" name="email" maxlength="254" class="required" /></td></tr>
<tr><td><?php echo $lang['74']; ?> :</td><td> <input type="text" name="repeat" maxlength="254" class="required" /></td></tr>
<tr><td><?php echo $lang['60']; ?> :</td><td><input type="password" name="password"/></td></tr>
<tr>
<td><?php echo $lang['8'] ?> :</td>
<td>
<select name="day">
<option><?php echo $lang['9'] ?></option>
<?php
for($i=1;$i<=31;$i++){
echo "<option value=\"{$i}\">{$i}</option>\n";
}
?>
</select>
<select name="month">
<?php
for($i=0;$i<=12;$i++){
$i = str_pad($i,2,"0",STR_PAD_LEFT);
echo "<option value=\"{$i}\">";T(1,$i);echo "</option>\n";
}
?>
</select>
<select name="year">
<option><?php echo $lang['11'] ?></option>
<?php
for($i=1300;$i<=1373;$i++){
if($i == $birthdate['0']){
echo "<option value=\"{$i}\" selected=\"selected\">{$i}</option>\n";
}else{
echo "<option value=\"{$i}\">{$i}</option>\n";
}
}
?>
</select>
</td>
</tr>
</table>
male : <input type="radio" name="gender[]" />female : <input type="radio" name="gender[]" /><br />
<input type="submit" name="submit" value="<?php echo $lang['63']; ?>" onclick="formhash(this.form, this.form.password);"/>
</div>
</form>
for name and family i did somthing like this for get just html entity with this pattern
$name = preg_replace("/[^a-zA-Z0-9_\-]+/", "", $name);
$family = preg_replace("/[^a-zA-Z0-9_\-]+/", "", $family);
and for email i did like this:
$email = preg_replace("^[_a-zA-Z0-9-]+(\.[_a-zA-Z0-9-]+)*@[a-zA-Z0-9-]+(\.[a-zA-Z0-9-]+)*(\.[a-zA-Z]{2,3})$^", "", $email);
is this preg_replace secure enough or maybe i need using htmlentity or htmlspecailchars?
2-and for second question is it necessary to escape posted data which is from radio buttons or sellect options and if its necessary how should i escape them?
3-i just read about htmlpurifier..now if i have status field which user can i update it should i use html purifier for people statuses and this register form maybe?
thanks in advance.