Copy link to clipboard
Copied
I've been working on this for several days and haven't found an easy solution. I've created a simple question and answer form that uses PHP to load up a Subject and comment field. The comment field is very similar to the form I'm using to fill out this question. It's a simple Text Area box, the Subject is a simple Text Field box. Both are required and add to a MySQL database table that has an id, subject and comments table setup.
Now that I've got it up I'd like to prevent folks from adding links and scripts to both fields. I just want plain text, no <a href"my good stuff.com"> or malicious scripts. There's got to be a simple way of looking at the text in the fields and discovering < or > and then just redirecting them to an error page that says you can't post code here...
I've written code that validates e-mails addresses, but I can't seem to get a handle on looking for and failing any post that attempts to add a link.
Thanks for the help.
Copy link to clipboard
Copied
There are several techniques. Best if you read about cross site scripting. Just search for 'php xss validation' for many examples. Here's a good article.
http://www.owasp.org/index.php/Top_10_2007-A1#Protection
Copy link to clipboard
Copied
Thanks for the link. I've looked at lots of articles like that. I don't want to sanatize, I want to prevent. Shouldn't the code be as simple as
$comments = $_REQUEST['comments'] ;
Obviously this isn't code, it's the idea. I have code that checks for a valid e-mail addresses. Sometimes I do that with Spry, sometimes with PHP validation.
Come to think of it a Spry validation script that checked for malicious code would be a very elegant solution. If anyone has any ideas, please let me know. Preventing this kind of problem should be easier than loading up something like htmlpurifier 4.0 (a ton of code) that, as far as I can tell, sanitizes the code, which I don't want, rather than simply preventing html or java special characters from being added to the text.