prevent links in html form fields

Question

Is there a way to prevent a form from being submitted if it contains links. I would like to prevent links from being added to input: question and message field.

Can anyone point in the right direction for info? thanks

<div class="form">
        <form id="sbwd_contact" method="post" action="http://whatanswered.com/forms/ask/ask.php">
            <em class="error"></em>
            <input type='hidden' name='sfm_form_submitted' value='yes'/>
            <label for="Email">E-Mail: </label>
            <input type="text" id="Email" name="Email" size="30" class="required email" />
            <label for="question">Question: </label>
            <input type="text" id="question" name="question" size="30" class="required" />
            <label for="Message">Additional Info: </label>
            <textarea name="Message" cols="30" rows="6" id="Message" class="required"></textarea>
            <br />
            <p><span>I Agree to the Terms and Conditions
                        <input type="checkbox" name="Terms_and_conditions" value="I agree" class="required"/></span></p>
            <input name="Submit" type="submit" id="Submit" value="Send" />
            <br /><br />
            <p><a href="http://whatanswered.com/terms-and-conditions.php" target="_blank">View our Terms and Conditions</a></p>
        </form>

Answer 1

Add this before insertion in database

if(preg_match("/\b(?:(?:https?|ftp|http):\/\/|www\.)[-a-z0-9+&@#\/%?=~_|!:,.;]*[-a-z0-9+&@#\/%=~_|]/i",$_POST['question'])){

// prevent form from saving code goes here
 echo "<script>alert('Please remove URLs');</script>"; 
}
else{
 // Insertion in Db
}

Answer 2

To prevent the form from actually being submitted you would need to use JavaScript to suppress the bubbling of the submit event. Specifically I would recommend using jQuery, something like this:

$(document).ready($(document).on('submit', function()
 { if ($("#question:contains('href=')").length > 0) return false; });

I might be wrong, but it looks like you are trying to achieve some sort of simple protection against spam or cross-site-scripting (XSS). If so, this is probably not the best technique, since, like all client-side security, it can easily be bypassed. Better would be to use a regular expression to strip out such links on the server-side after the post. Or for spam prevention, use a proper Bayesian/keyword filter, such as implemented by many WordPress plugins. Remember, a spammer can still market his product without a hyperlink. I think you will find that trying to prevent spam by stopping posts with hyperlinks will not be sufficient for a semi-popular blog or talkback section. All sorts of other types of spam, e.g. stock market three-letter-code pump-and-dump, brand dropping, or brand FUD, can be effective without hyperlinks.

Also keep in mind that there are many different ways for the user to inject potentially harmful HTML/JS/SQL code into the posts. The best technique is to strengthen your handling of user input, rather than restricting input altogether. For example, on Stack Overflow, users can post HTML/JS code samples. SO doesn't want to prevent that input, so they make sure to escape it whenever it's sent back to the browser, rendering it totally harmless. See this article for more info: https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet.

Answer 3

First of all, you are posting an HTML script, and you'r asking about PHP, so you are not showing any effort. Having said, that..

If I had wanted to prevent links from being submitted into a form, I could use strip_tags() function of PHP to strip all <a > from what the user is entering, and thus changing the link to just raw text. Alternatively from PHP side, you could use filter_var($url, FILTER_VALIDATE_URL) to validate if URL has been submitted:

 $url = "http://www.mywebsite.com";

if(!filter_var($url, FILTER_VALIDATE_URL)){
  echo "No URL detected";
  }else{
  echo "URL is found";
  }

And work your way up from there.

Answer 4

Sure you can check if your input field contains one or more substrings like 'HTTP://' and if so end the script with an error. Use http://php.net/manual/en/function.substr-count.php