2

Possible Duplicate:
What are the best practices for avoiding xss attacks in a PHP site

I have a form that user can fill in their personal information. The user submits the form and A web service will process these information and store the information in mysql database.

But what if users enter html tag, php code, or javascript in the input field. I would like to prevent that. I know in javascript there's a method call escapehtml, in php it's strip_tags.

I just want to know the correct way of disabling the abilities to type html, php, script from input field. Do I use strip_tags for all input I received?If I use strip_tags, how to disable script? Or there is away to do it in mysql?

Thank you

This is the form:

<div>
    <label class='info-title whitetext' for="name">Full Name: </label>
    <input type="text" name="name" id="name" size='25' maxlength="100" required />
</div>

<div>
    <label class='info-title whitetext' for="phone">Phone: </label>
    <input type='text' pattern='\d+' name='phone' id='phone' size='25' maxlength='12' />
</div>

<div>       
    <label class='info-title' for="email">Email: </label>
    <input type="email" name="email" id="email" size='35' maxlength="60" required />
</div>

<div>       
    <label class='info-title' for="address">Address: </label>
    <input type="text" name="address" id="address" size='45' maxlength="50" required />
</div>
Community
  • 1
  • 1
kaboom
  • 833
  • 4
  • 18
  • 38

3 Answers3

2

Try htmlspecialchars($string);

That will encode all the HTML tags to character codes (<div> would become &lt;div&gt;, which will be displayed without being parsed as html) This way, script tags cannot be created as well.

Be sure to clean the content before supplying it to a database though, for example by escaping with mysqli_escape_string() (others will probably advice you to use prepare statements).

It is most likely not best practice to put HTML character encoded strings into the database, as it simply increases the string size unnecessarily. (And it doesn't provide protection against SQL injection on its own)

Thomas
  • 429
  • 2
  • 10
1

Personally, I just like to do $out = str_replace("<","&lt;",$in). It provides the least possible disruption for the user, and they are most likely to get out what they typed in.

If the user input may end up in an HTML attribute (for whatever reason), you should also replace " with &quot;.

Never put user-supplied content into a <script> tag, and never save it to a file without first performing the replacements.

Niet the Dark Absol
  • 320,036
  • 81
  • 464
  • 592
  • The problem with this is that the &-sign will be displayed in the HTML as `&`, which is not valid. It should be output as `&`. Of course you can edit the script to do this as well, but it'd be easier to use `htmlspecialchars()` or a similar function. – Thomas Aug 20 '12 at 22:05
1

You cannot disable "the abilities to type html, php, script from input field", unless you check users' input in real time and specifically block them when you detect that a tag is entered. Yet I don't see a reason why anyone would want that, the proper way is to properly process users' input when submitted.

For html tags or php codes or things like that you can definitely use escapehtml or strip_tags, but if you are later putting the content into mysql, I have to remind you of sql injection attack.

If you are not familiar with the term, users can type in mysql queries that interfere with your sql queries. If we blindly insert user provided content into our "INSERT" statements, those statements might be altered by sql keywords in user's input.

For ways to prevent sql injection attack, you can take a look at wiki's page for a good start: http://en.wikipedia.org/wiki/SQL_injection#Mitigation

Xavier_Ex
  • 8,432
  • 11
  • 39
  • 55