-1

So, I've got a form that enters into a database and those values are then echoed on the page. I have been trying to figure out how to disable all code from being processed when put through the form.

This is my form:

    <div id="postForm">
        <form method="post" action="post.php" id="messageForm" autocomplete="off">
            <table border="0" align="center">
                <tr><td id="formBlock"><span>Name</span></td>
                <td><input id="messageName" name="name" type="text" value="Anonymous" maxlength="32" required>
                    <input style="margin-right: -1px; margin-left: -4px;" type="submit" name="Submit" value="Send Message"></td></tr>
                <tr><td id="formBlock"><span>Title</span></td>
                    <td><input id="messageTitle" name="title" type="text" maxlength="32" width="20"></td></tr><br>
                <tr><td id="formBlock"><span>Message</span></td>
                    <td><textarea onkeyup="countChar(this)" name="message" rows="6" cols="50" form="messageForm" maxlength="2000" style="font-family: arial;" required></textarea></td></tr>
            </table>
        </form>
            <table align="center" style="width: 290px; border: 0px;">
                <td><div id="warningText" style="font-size: 10px; margin-top: -15px;">Please read the FAQ before posting!</div></td>
                <td><div id="messageText" style="font-size: 10px; margin-top: -15px; text-align: right;"></div></td>
            </table>
    </div>

And this is how the entries are being echoed:

   <div id="messages">
        <?php
            $servername = "localhost";
            $username = "user";
            $password = "pass";
            $dbname = "db_posts";
            $tablename = "posts";

            $conn = new mysqli($servername, $username, $password, $dbname);
            if ($conn->connect_error) {
                die("failed to connect: " . $conn->connect_error); 
            }

            $sql = "SELECT id, rating, name, title, message, date, time FROM posts ORDER BY date DESC, time DESC";
            $result = $conn->query($sql);


            if ($result->num_rows > 0) {
                while($row = $result->fetch_assoc()) {
                    echo "<br><div id='messageBar'><b><a class='rateup' href='index.php' data-id=' " . $row['id'] . " ' title='vote up'>&#9650;</a> ";
                    echo $row["rating"];
                    echo " <a class='ratedown' href='index.php' title='vote down'>&#9660;</a> </b>";
                    echo "Posted by <b>";
                    echo $row["name"];
                    echo "</b> on ";
                    echo $row["date"];
                    echo " at ";
                    echo $row["time"];
                    if (!empty($row['title'])) {
                        echo " - <b>";
                        echo $row["title"];
                        echo "</b>";
                    }
                    echo "<span style='float: right'>#";
                    echo $row["id"];
                    echo "</span>";
                    echo "</div><div id='messageContent'>";
                    echo $row["message"];
                    echo "</div><br><hr>";
                }
            } else {
                echo "<br>";
                echo "<center><i>it's dusty in here</i></center>";
                echo "<br>";
            }

            $conn->close();
        ?>
    </div>

I'm sure that there's a better way I can echo all of this data, so if anyone has any suggestions feel free to let me know.

TL;DR: If someone enters <b>text</b> into my form, I want it to echo like <b>text</b>.

chris85
  • 23,846
  • 7
  • 34
  • 51
Treedot
  • 101
  • 1
  • 10
  • Also possible duplicate of http://stackoverflow.com/a/6323198/5580153 – Aaron Lavers Jun 07 '16 at 01:58
  • Can you explain your example? The input code appears to be the same as the output. – chris85 Jun 07 '16 at 02:04
  • You fill out the form, and it displays the data on the page. That's why they look the same. – Treedot Jun 07 '16 at 12:45
  • Whoever marked this as duplicate, thank you! I searched for hours and didn't find that post because I wasn't searching for XSS. I fixed it! – Treedot Jun 07 '16 at 12:47
  • Oh so you want the output as `text`, not **text**, right? XSS is short for cross site scripting which is what you are trying to prevent. There is a long write up here, https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet on it. – chris85 Jun 07 '16 at 18:37
  • I fixed it already, but thank you. I was trying to prevent people from putting code into my form. – Treedot Jun 07 '16 at 22:30

1 Answers1

-1

It's most common to encode user data as it's rendered to the screen. I don't use php, but you can probably use the htmlentities() function.

This way, any characters which could be interpreted as commands in the browser are encoded to display exactly as entered originally.

Neil Cross
  • 502
  • 3
  • 9
  • " I don't use php" then i humbly suggest answering php questions may not be the best idea. –  Jun 07 '16 at 02:01
  • Thanks for the advice. I answered this question based on my experience with xss, which was also tagged, as were javascript and html. However, It appears my answer has proven less useful not because if it's content, but that I don't have an extensive knowledge of the backlog of php questions on SO. – Neil Cross Jun 07 '16 at 06:30