0

When I get text from database it can contain things like <h1> <div> etc... This can be entered by user and screw things up on a website, so I need to filter them out.

I tried to apply this method: http://www.w3schools.com/php/filter_sanitize_special_chars.asp

Here is what I have now, but it does not work.

            $story_title = $row["st_title"]; // Gathered from Database
            filter_var($story_title,FILTER_SANITIZE_SPECIAL_CHARS);
            $story_category = $row["st_category"]; // Gathered from Database
            filter_var($story_category,FILTER_SANITIZE_SPECIAL_CHARS);
            $the_story = $row["st_body"]; // Gathered from Database
            filter_var($story_body,FILTER_SANITIZE_SPECIAL_CHARS);

Can anyone sugges a solution that would work?

nico
  • 50,859
  • 17
  • 87
  • 112
Ilja
  • 44,142
  • 92
  • 275
  • 498
  • Hot discussion with open bounty of +200 about this subject here: http://stackoverflow.com/questions/8419038/what-is-the-correct-way-to-detect-whether-string-inputs-contain-html-or-not/ – J. Bruni Dec 20 '11 at 18:39

2 Answers2

1

If you want to remove the html tags you can use a built in function strip_tags()

Example:

$userdata = "<h1>This is a title <a href=\"http://www.example.com\">and a link</a> </h1>";
echo strip_tags($userdata);
// will echo "This is a title and a link";

You can allow some tags if you want:

$userdata = "<h1>This is a title <a href=\"http://www.example.com\">and a link</a> </h1>";
echo strip_tags($userdata,"<a>");
// will echo "This is a title and <a href=\"http://www.example.com\">and a link</a>";
// the anchor tag is not removed
Ibu
  • 42,752
  • 13
  • 76
  • 103
  • And as an optional second argument you can add `$allowed_tags` if you would like to allow your users to use basic HTML formatting tags like ``, ``, and ``. – Bailey Parker Dec 20 '11 at 18:09
  • Hi, for some reason it doesn't work I used $the_story = $row["st_body"]; strip_tags($the_story); And it doesn't work, here is my web http://inelmo.com – Ilja Dec 20 '11 at 18:17
  • @IlyaKnaup in which part of your website are you using it? – Ibu Dec 20 '11 at 18:28
  • Well when I get data from database I use strip_tags on it, but it doesn't work, I tried using them when inserting info into database, but it didn't work either. Don't worry I asked a different question on this issue as it is not what I asked for here ))) – Ilja Dec 20 '11 at 18:31
0

There are many approaches to this.

I would suggest not to reinvent the wheel and use something like HTML Purifier, which is a standards-compliant and opensource filtering system, which allows you to make potent and highly custumizable filters also protecting from XSS attacks. It has whitelists and blacklists so you can define what the user is allowed to use and what he is not.

nico
  • 50,859
  • 17
  • 87
  • 112