PHP prevent HTML in form text field?

Question

I have a text form field that users my enter notes into. I then use a PHP/MySQL database to store these entries. How do I prevent somebody from entering HTML into the text field?

Answer 1

1. Filter input

First filter your input

Input filtering is one of the cornerstones of any application security, independently of the language or environment.

2. Use PDO

Next use PDO prepared statements to make your SQL queries safe.

A prepared statement is a precompiled SQL statement that can be executed multiple times by sending just the data to the server. It has the added advantage of automatically making the data used in the placeholders safe from SQL injection attacks.

Answer 2

Dont do anything to the text, just store it as they enter it.

Reason being is that maybe you was to add content that looks like html but actually isn't. for example

I was updating the site erlier and i had to add a few < br > tags to let the content move down a touch.

What you shuold be doing is storing the content as it is within the database making sure that you escape the data for SQL injection purposes, and then upon output to the browser you should escape using htmlentites the content like so:

<div id="notes">
    <?php echo htmlentities($row['note']) ?>
</div>

this way the html tags does not take any effect on the actual DOM as there escaped, the desired output within the DOM should look like:

I was updating the site erlier and i had to add a few < br > tags to let the content move down a touch.

and the user would actually see the <br> as plain text

Hope this helps.

Answer 3

if you're planning to also store the data in your database, you need to clean the input using mysql_real_escape_string() to prevent SQL injection (http://en.wikipedia.org/wiki/SQL_injection)

Answer 4

You're probably looking for strip_tags