PHP MYSQL allowing a user to submit a link from a textarea

Question

I am trying to work on a fansite for a game, and i've ran into an issue. I have an html textarea, that a user can put in a bio of themselves, or an about me in other terms. I am wondering how if a user types in a link for example google.com how that can post to my database, and then appear as a clickable link that when clicked will take someone to whatever link is put in there. So if someone types google.com, it will lead to google.com when clicked. If someone puts in facebook.com, it will take them to facebook.com when clicked, etc.

So how can I make it so links are clickable without having to put in an a href? This is all I have so far, because I don't know where to go from here.

Textarea code:

<tr>
    <td class="style7"><div align="right">Bio:</div></td>
    <td><textarea name="bio" cols="42" rows="8" id="bio"><?php echo "$bio"; ?></textarea></td>
</tr>

Some php:

 $bio = $_POST['bio'];

Post into database:

$sql = mysql_query("UPDATE members SET email='$email', password='$password', country='$country', bio='$bio' WHERE id='$id'"); 

Any help would be much appreciated!

Answer 1

A nice way to achieve what you want with adding a layer of security is by using BBCode tags.

There is a full documentation on BBCode on the PHP.net webiste, or a simple BBCode parser available in a single file here.

It will be easy to convert links to clickable text like this:

$safe_html = bbcodeParser($bio);

And then add this $safe_html into the database.

Or instead of a textarea, put a single line input accepting only URLS (checking with regular expressions as the other answers suggests).

Still, there are lots of other security loopholes to consider in the code you posted ! Be careful !

Answer 2

There is a set of solutions for your problem

• the user input can be an html link (not a good idea: injection)
• the user leaves a bare string that resembles a url
• the user leaves a specially formatted url like stackoverflow does [url](metaData)

Let's focus on some considerations

• save the data formatted ready for output (bad idea)
• save the data just like the user passed it (after filtering it) and prep your output functions to process the content

Some tools at your disposal

• RegularExpressions, RegularExpressions, and some more RegularExpressions

Please take your time to understand what's underlying your problem, then come back and ask to your hearts content

Answer 3

I would look into preg_replace for automatically detecting links.

Regular expressions are a very useful thing, and they can be used to do a whole bunch of stuff. For example, most Markdown parsers use regular expressions at least a little bit.

You'll be wanting to match just about anything ending with ".tld" (it would be a good idea to use a list of TLDs instead of just doing "*.*") and you'll probably want to do it when rendering, and not when inserting initially, but you can decide for yourself when you want the filtering to occur.

You could further simplify the above by requiring the addition of http:// or https:// (or any other protocol that you wish to allow users to link to)

Since you're probably new to regular expressions, here is a super helpful site with some help on them, and here is a live testing site.

It's worth noting that regexpal and PHP regular expressions have slightly different syntaxes and very very slightly different capabilities, since the former uses Javascript.

Something I'd like to bring up also is your completely unsanitized SQL query - I urge you to look into sanitation at the very least, and I heavily suggest using PDO. It can be a bit complicated, but as it stands now, there's a high chance somebody could mess with your database.

Good hunting!