0

I'm making a mini social-network type site, where poeple can submit questions/chat things to a php page, which adds that data to a database, then gets all the data from the database and puts it in its own div on the page, displaying all the comments. The only problem is that people are submitting tags which are messing up the page, and I was wondering if there was a way to disable <> tags in a specific div? Here's the seciton of code for that part: 

    $q=mysql_query("SELECT * FROM posts WHERE user='$u' ORDER BY date DESC");
    ?>
    <div class="posts">
    <?php 
    if(mysql_num_rows($q)<1)
    {
    echo "{$u} has not submitted any updates yet.";
    } else {
    while($row=mysql_fetch_array($q))
    {
    $com=$row['post'];
    ?>
    <div class="comment">
    <p><?php echo $com; ?></p>
            <div class="user_post">

                <a href="/user.php?u=<?php echo $u; ?>" class="usersname"><p class="comtext"><?php echo $u; ?></p><img src="/user/Coby/background.png" style="display:block; width:50px; margin-top:-20px; height: auto !important;  background-image: url('<?php echo $avatar; ?>'); background-size: cover;" ></img></a></div>
    </div>
    <?php
    }
    }
    if($isOwner=="yes") { ?>
    <form action="post.php" method="post">
    <input type="hidden" name="user" value="<?php echo $u; ?>" />
    <textarea placeholder="Write on your Corner!" name="comment"></textarea>
    <input type="submit" value="Post!" name="submit" />
    </form>
    <?php } ?>
    </div>

    </div>
user2230755
  • 25
  • 1
  • 7
  • You should probably look at something like UBB code – Gerald Versluis May 17 '13 at 06:41
  • 2
    you can use `strip_tags` or `htmlentities` to transform the data to something the browser could show – Kavi Siegel May 17 '13 at 06:43
  • You are using [an **obsolete** database API](http://stackoverflow.com/q/12859942/19068) and should use a [modern replacement](http://php.net/manual/en/mysqlinfo.api.choosing.php). You are probably also **vulnerable to [SQL injection attacks](http://bobby-tables.com/)** that a modern API would make it easier to [defend](http://stackoverflow.com/questions/60174/best-way-to-prevent-sql-injection-in-php) yourself from. – Quentin May 17 '13 at 06:48

3 Answers3

0
while($row=mysql_fetch_array($q))
    {
    $com = htmlspecialchars($row['post']);
    ?>
open source guy
  • 2,727
  • 8
  • 38
  • 61
0

The best way is:

$com = htmlspecialchars($row['post'], ENT_QUOTES, 'UTF-8');

Here is link to Documentation

Subedi Kishor
  • 5,906
  • 5
  • 35
  • 53
-1

Either you filtering the <> when they enter them, or you filter them (e.g. with jQuery) while rendering. Or you escape them.

GarfieldKlon
  • 11,170
  • 7
  • 31
  • 33
  • Filtering them with client side code isn't going to work, they'll be parsed before JavaScript can do anything with that. That will leave the site vulnerable to XSS attacks and is terrible advice. – Quentin May 17 '13 at 06:47
  • Therefore I would escape/filter them when submitting the form. – GarfieldKlon May 17 '13 at 06:52
  • You never know if the user has JavaScript active. You even don't know if it's real user or a bot. You need to parse input on the server side, when it has already been submitted. – Voitcus May 17 '13 at 06:55