Reputation: 2814
How to not allow someone to throw HTML into a forum comment
im trying to make a little forum type thing. so how would i do the comments that no can throw html in there?
thanks in advance =)
Upvotes: 1
Views: 78
Answers (5)
Reputation: 41
You can use strip_tags to eliminate all the tags.
If you strip just < with < and > with > you'll end with a lot of junk into the stored db entry.
But if you are making a forum maybe you should implement a specific way to let your users personalize a little bit their post, a la stackoverflow..
You can create a special wordlist or just allow some tags. Check this site.
Upvotes: 0
Reputation: 61755
Simplest way, is to replace < with < and > with > then insert the post into the database.
That's the basic starting point, you can whitelist certain tags and expand on it later but this will protect you against just about every HTML injection.
Alternatively, you can use some kind of HTML encode function to sanitise input.
Upvotes: 2
Reputation: 22340
If you want to prevent them using any HTML at all, you can just use htmlspecialchars(). You have a choice over whether you do that before storing in the database, or before output of the page (most people will recommend sanitising output immediately before it is used, i.e. when you output the page).
Upvotes: 0
Related Questions
- PHP Based HTML Validator
- Html tag validation with php
- HTML Validation using PHP
- HTML comment tag input validation in php
- Don't allow user to enter HTML tags in input
- Validating html generated by php
- PHP Comment Form Validation to Protect Against Spam
- Prohibit the posting of HTML in textarea form field
- Prevent Comments from Parsing
- Validating html with php