While not being too bad a prospect, it didn’t work, sadly because of ini_set being used incorrectly: an “unexpected” encapsulated string was on line 10…
Unfortunately, he had also neglected to make use of PHP’s many built-in text-editing functions; particularly those that can help quash cross-site and injection attacks.
Following use of htmlspecialchars, any given text is operated on to encode any of the following:
- Less-than and greater-than signs;
- Ampersands (quite useful for encoding URLs, as recommended by PHP.net);
- Single and Double quote-marks (as long as the correct parameter is set)
However, for a more blanketed approach, perhaps htmlentities would have been better…