cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Exit
search
  • Global community
    • Language:
      • Deutsch
      • English
      • Español
      • Français
      • Português
  • 日本語コミュニティ
  • 한국 커뮤니티
0
Upvote

Dissallow HTML in PHP form???

cwhazzoo
Participant ,
Jul 06, 2009 Jul 06, 2009

Hi,

I have run into a very annoying problem. On my site I allow people to post comments on videos much like Youtube, but unlike youtube some users have taken advantage of me and have started typing html into the comment box and then when they post it the site reads the HTML and they can add links and distort things.

So... I know you can dissable HTML but I have no idea how to. I am using an Insert Record server behavior. Some people give me the code but no one tells me where to put it. So if anyone could help me with this I would be very grateful.

Here is the code I am using, it is kind of long:)

NOTE: ********* indicates private information.

<?php

$input = ereg_replace("<.*>","",$input);

if (!function_exists("GetSQLValueString")) {

function GetSQLValueString($theValue, $theType, $theDefinedValue = "", $theNotDefinedValue = "")

{

  if (PHP_VERSION < 6) {

    $theValue = get_magic_quotes_gpc() ? stripslashes($theValue) : $theValue;

  }

  $theValue = function_exists("mysql_real_escape_string") ? mysql_real_escape_string($theValue) : mysql_escape_string($theValue);

  switch ($theType) {

    case "text":

      $theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL";

      break;   

    case "long":

    case "int":

      $theValue = ($theValue != "") ? intval($theValue) : "NULL";

      break;

    case "double":

      $theValue = ($theValue != "") ? doubleval($theValue) : "NULL";

      break;

    case "date":

      $theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL";

      break;

    case "defined":

      $theValue = ($theValue != "") ? $theDefinedValue : $theNotDefinedValue;

      break;

  }

  return $theValue;

}

}

$currentPage = $_SERVER["PHP_SELF"];

$editFormAction = $_SERVER['PHP_SELF'];

if (isset($_SERVER['QUERY_STRING'])) {

  $editFormAction .= "?" . htmlentities($_SERVER['QUERY_STRING']);

}

if ((isset($_POST["MM_insert"])) && ($_POST["MM_insert"] == "form1")) {

  $insertSQL = sprintf("INSERT INTO ***************** (`Comment`, Username) VALUES (%s, %s)",

                       GetSQLValueString($_POST['CommentBox'], "text"),

                       GetSQLValueString($_POST['Username'], "text"));

  mysql_select_db($database_********, $**************);

  $Result1 = mysql_query($insertSQL, $**************) or die(mysql_error());

}

$colname_************ = "-1";

if (isset($_SESSION['MM_Username'])) {

  $colname_********* = $_SESSION['MM_Username'];

}

mysql_select_db($database_************, $************);

$query_************ = sprintf("SELECT * FROM login WHERE username = %s", GetSQLValueString($colname_**************, "text"));

$***************** = mysql_query($query_*************, $****************) or die(mysql_error());

$row_********** = mysql_fetch_assoc($************);

$totalRows_********* = mysql_num_rows($**************);

$maxRows_***************** = 3;

$pageNum_**************** = 0;

if (isset($_GET['pageNum_**************'])) {

  $pageNum_***************** = $_GET['pageNum_****************'];

}

$startRow_****************** = $pageNum_*************** * $maxRows_*****************;

mysql_select_db($database_**************, $**************);

$query_******************* = "SELECT * FROM **************";

$query_limit_***************** = sprintf("%s LIMIT %d, %d", $query_*****************, $startRow_****************, $maxRows_*********************);

$********************** = mysql_query($query_limit_***************, $********************) or die(mysql_error());

$row_*********************** = mysql_fetch_assoc($********************);

if (isset($_GET['totalRows_***************'])) {

  $totalRows_******************* = $_GET['totalRows_******************'];

} else {

  $all_****************** = mysql_query($query_****************);

  $totalRows_***************** = mysql_num_rows($all_**************);

}

$totalPages_****************** = ceil($totalRows_**********************/$maxRows_*******************)-1;

$queryString_******************** = "";

if (!empty($_SERVER['QUERY_STRING'])) {

  $params = explode("&", $_SERVER['QUERY_STRING']);

  $newParams = array();

  foreach ($params as $param) {

    if (stristr($param, "pageNum_***************") == false &&

        stristr($param, "totalRows_***************") == false) {

      array_push($newParams, $param);

    }

  }

  if (count($newParams) != 0) {

    $queryString_***************** = "&" . htmlentities(implode("&", $newParams));

  }

}

$queryString_**************** = sprintf("&totalRows_******************=%d%s", $totalRows_******************, $queryString_*****************);

?>

Thanks!

TOPICS
Server side applications
684
Translate
Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines

correct answers 1 Correct answer

David_Powers
LEGEND , Jul 08, 2009 Jul 08, 2009

Thanks for recommending my book, UteFanJason.

To answer the original question, the simple way to remove all HTML from user input is to use the PHP function strip_tags().

Just put this at the top of the script:

if (isset($_POST['CommentBox'])) {
  $_POST['CommentBox'] = strip_tags($_POST['CommentBox']);
  $_POST['Username'] = strip_tags($_POST['Username']);
}

Get rid of the following line:

$input = ereg_replace("<.*>","",$input);

It's useless, and contains deprecated code anyway.

Translate
replies 3 Replies 3
latest latest Jump to latest reply
UteFanJason
Participant ,
Jul 06, 2009 Jul 06, 2009

There is a great book that would help you in this along with many other php/mysql solutions.

The book:   PHP Solutions

Author:       David Powers

When you get the book, it is very inexpensive on Amazon.com, I cannot remember off the top of my head the exact part of the book that goes over it, but it will cover it.

It is a very valuable resource. You can benefit from it whether you read through and follow the examples or just use it as a reference.

If you are learning php I would highly recommend that book.

Translate
Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
David_Powers
LEGEND ,
Jul 08, 2009 Jul 08, 2009
In Response To UteFanJason

Thanks for recommending my book, UteFanJason.

To answer the original question, the simple way to remove all HTML from user input is to use the PHP function strip_tags().

Just put this at the top of the script:

if (isset($_POST['CommentBox'])) {
  $_POST['CommentBox'] = strip_tags($_POST['CommentBox']);
  $_POST['Username'] = strip_tags($_POST['Username']);
}

Get rid of the following line:

$input = ereg_replace("<.*>","",$input);

It's useless, and contains deprecated code anyway.

Translate
Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
UteFanJason
Participant ,
Jul 08, 2009 Jul 08, 2009
LATEST
In Response To David_Powers

No problem David. When I first started wanting to learn how to create data driven sites that book covered all the major topics I wanted to learn.

Translate
Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Copyright © 2025 Adobe. All rights reserved.
Using the Community Experience League Terms of Use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices