0

This is my code, how do I prevent people from injecting HTML or anything like that in the comment and name field? I read something about html entities and stripping tags, but I have no clue whatsoever how to do it :(

    <?php
error_reporting (E_ALL ^ E_NOTICE); 
require('connect.php');
$name=$_POST['name'];
$comment=$_POST['comment'];
$submit=$_POST['submit'];
if($submit)
{
   if($name&&$comment)
   {
   $query=mysql_query("INSERT INTO comment (id,name,comment) VALUES ('','$name','$comment')");
   header("Location: success.php");
   }
   else
   {
       echo "Please fill out all the fields.";
   }
}
?>
<html>
<head>
 <title>Family Travels - Lanzarote</title>
       <link rel="stylesheet" href="layout2.css" title="style1" media="screen" />   
</head>

<body>

<div id="title">

 <img src="images/banner.png" alt="Title">

</div> <!-- title -->
<div id="container">

<div id="content">
<h2>Share your experience:</h2>

<form action="comment.php" method="POST">
<label>Name:  </label><br /><input type="text" name="name" value="<?php echo "$name" ?>" /><br /><br />
<label>Comment:  </label><br /><textarea style="width:350px;height:130px" name="comment" cols="25" rows="7"></textarea><br /><br /><br />
<input type="submit" name="submit" value="Comment" /><br />
<div style="height:600px;width:500px;overflow:auto;white-space:pre-line;word-wrap:break-word;">
</form>
<hr width="500px" size="3px" />

<?php
require('connect.php');
$query=mysql_query("SELECT * FROM comment ORDER BY id DESC");
 while($rows=mysql_fetch_assoc($query))
    {
    $id=$rows['id'];
    $dname=$rows['name'];
    $dcomment=$rows['comment'];
    $linkdel="<a href=\"delete.php?id=" . $rows['id'] . "\">Delete Comment</a>";
    echo '<font color="white">Name:</font>  ' . $dname . '<br />' . '<br />' . '<font color="white">Comment:</font>  ' . '<br />' . '<br />' . $dcomment . '<br />' . '<br />' . $linkdel . '<br />' . '<br />' . 
    '<hr size="3px" width="500px" />' ;  

   }
?>  
</div>
 </div> <!-- content -->
user2298880
  • 1
  • 3
  • `strip_tags()` php function.. – Dipesh Parmar Apr 19 '13 at 10:57
  • 3
    In addition to the XSS problem you are asking about, you are using [an **obsolete** database API](http://stackoverflow.com/q/12859942/19068) and should use a [modern replacement](http://php.net/manual/en/mysqlinfo.api.choosing.php). You are also **vulnerable to [SQL injection attacks](http://bobby-tables.com/)** that a modern API would make it easier to [defend](http://stackoverflow.com/questions/60174/best-way-to-prevent-sql-injection-in-php) yourself from. – Quentin Apr 19 '13 at 10:57
  • I know it's outdated, but it's just for a school assignment, it's not a serious website or anything like that. – user2298880 Apr 19 '13 at 11:36

1 Answers1

-1

i think you are searching for the strip_tags() function

http://php.net/manual/en/function.strip-tags.php

it will remove all html and php tags from a string

x4rf41
  • 5,184
  • 2
  • 22
  • 33
  • 2
    `strip_tags` does not even come close to providing robust XSS protection. – Jon Apr 19 '13 at 11:00
  • what about `htmlentities` ? http://php.net/manual/en/function.htmlentities.php is that safe? – x4rf41 Apr 19 '13 at 11:02
  • `htmlentities` should never be used in this context. `htmlspecialchars` is very similar and the correct function to use, but it only covers some XSS attack vectors. The accepted answer to the linked question contains more information. – Jon Apr 19 '13 at 11:17
  • I don't want to be completely protected, it's just for a school assignment and I just need a simple example of protecting against injection. – user2298880 Apr 19 '13 at 11:33
  • I've read about the strip tags etc. but I don't know where to put it? Could someone please show me where I would put the function in my code for it to work? – user2298880 Apr 19 '13 at 11:37
  • replace `$dcomment=$rows['comment'];` with `$dcomment=htmlspecialchars($rows['comment']);` to safe, you should replace `'$comment'` in your sql insert query with `'".mysql_real_escape_string($comment)."'` or you might get errors – x4rf41 Apr 19 '13 at 11:39
  • Just one last thing. Right now the top code "echo "Please fill out all the fields.";" echoes it at the top left corner of the page, instead of in the content div. Is there a way to make it echo it in my content div? – user2298880 Apr 19 '13 at 11:49
  • just put the php code where you want it to write the content – x4rf41 Apr 19 '13 at 11:54