1

im trying to make a little forum type thing. so how would i do the comments that no can throw html in there?

thanks in advance =)

bzupnick
  • 2,646
  • 4
  • 25
  • 34

5 Answers5

2

Simplest way, is to replace < with &lt; and > with &gt; then insert the post into the database.

That's the basic starting point, you can whitelist certain tags and expand on it later but this will protect you against just about every HTML injection.

Alternatively, you can use some kind of HTML encode function to sanitise input.

Tom Gullen
  • 61,249
  • 84
  • 283
  • 456
1

http://php.net/manual/en/function.strip-tags.php

Kavi Siegel
  • 2,964
  • 2
  • 24
  • 33
0

If you want to prevent them using any HTML at all, you can just use htmlspecialchars(). You have a choice over whether you do that before storing in the database, or before output of the page (most people will recommend sanitising output immediately before it is used, i.e. when you output the page).

Hammerite
  • 21,755
  • 6
  • 70
  • 91
  • 2
    I would disagree with that assertion. If you sanitize before it goes into the database, it's a one-time action. If you sanitize upon output, you must perform the sanitization every time that data is used. – asthasr Apr 05 '11 at 15:01
0

You can use strip_tags to eliminate all the tags.

If you strip just < with &lt; and > with &gt; you'll end with a lot of junk into the stored db entry.

But if you are making a forum maybe you should implement a specific way to let your users personalize a little bit their post, a la stackoverflow..

You can create a special wordlist or just allow some tags. Check this site.

jojo
  • 41
  • 2
-1

You need to read about input sanitization.

Community
  • 1
  • 1
asthasr
  • 9,125
  • 1
  • 29
  • 43
  • inpuit sanitazation is an oxymoron - the issue is input validation and output santitization – symcbean Apr 05 '11 at 15:06
  • Sanitization is a form of validation. See OWASP: http://www.owasp.org/index.php/Data_Validation#Sanitize – asthasr Apr 05 '11 at 15:08