How Can I Make It So Users Cannot Enter Raw HTML Code In Forms Using PHP?

Question

I am attempting to make it so users can insert information into an HTML form like this

<form method="POST">
<textarea name="form" cols="58" rows="4" placeholder="form"></textarea>
<input type="submit" name="Create">
</form>
<?php
include("connection.php");
if ($_SERVER['REQUEST_METHOD'] == 'POST') {
$input = mysqli_real_escape_string($con, $_POST['form']);
$query = "insert into table (column) values('$input');
if (mysqli_query($con, $query)) {
    header("Location: input.php");
}
?>

and then input.php is

<?php
include("connection.php");
$query = "SELECT * FROM table";
$execute = mysqli_query($con, $query);
if ($execute) {
    while ($row = $execute->fetch_assoc()) {
        echo $row['column'];
    }
}
?>

However a user can just input raw HTML code like . How can I stop a user from inserting that and instead just display it as regular text?

See also: https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php?rq=1 — Don't Panic, Aug 18 '21 at 19:43
Use prepared statements and properly encode your output and it doesn't matter how much HTML, Javascript, or SQL they try to inject. — Sammitch, Aug 18 '21 at 20:14

score 0 · Answer 1 · answered Aug 18 '21 at 19:43

0

You can't stop that. You'll have to deal with it properly, in this case you can use htmlentities() on the HTML string to convert it in a way so that when you output it, the browser won't start to render the HTML tags.

answered Aug 18 '21 at 19:43

Honk der Hase

2,459
1
14
26

How Can I Make It So Users Cannot Enter Raw HTML Code In Forms Using PHP?

1 Answers1