Printable View
I've created a guestbook (finally!), and I just noticed that I can even put in HTML tags in there.
Since I'm displaying the guestbook using tables and tds and trs, this means that a user can screw up the whole page by putting in a single </tr> or a </td> in there.
What can I do to prevent such a thing from happening?
$text=str_replace("<","<",$text);
$text=str_replace(">",">",$text);
or
$text=str_replace("</tr>","</tr>",$text);
$text=str_replace("</td>","</td>",$text);
?
or it might be the function
htmlspecialchars($text);
Yeah, thanks for that.
I have also been trying another thing
it's more of an opinon question thing rather:
WHen they give their email address, should I replace
@ with at
. with dot
?
I tried experimenting with the str_replace like this;
$email = str_replace("@"," at ",$email);
$email = str_replace("."," dot ",$email);
But after doing that, something like [email protected] becomes only:
"whatever "
Why is this?
Works for mePHP Code:$email = "[email protected]";
$email = str_replace("@"," at ",$email);
$email = str_replace("."," dot ",$email);
echo $email;
Thank you.
It must have been some weird anomaly here.
Quote:
Originally posted by mendhak
I've created a guestbook (finally!), and I just noticed that I can even put in HTML tags in there.
Since I'm displaying the guestbook using tables and tds and trs, this means that a user can screw up the whole page by putting in a single </tr> or a </td> in there.
What can I do to prevent such a thing from happening?
There's also the strip_tags() function which removes HTML and PHP tags from a string, unlinke htmlspecialchars() which just makes them viewable.Quote:
Originally posted by da_silvy
or it might be the function
htmlspecialchars($text);
But the cool thing about strip_tags() is that it lets you specify allowable tags which wont be stripped. So, say you want the user to be able to use <b>, <i>, and <u> (although, I believe <u> is deprecated), then you can do this:
Just thought I'd show you this option.Code:strip_tags($text, "<b><i><u>");
Although, I should probably note that strip_tags() will not remove attributes to the tags. So if someone sets the font size to be huge in a <b> tag through style=, you're in trouble. onMouseOver and all that, as well.
So I found this code that someone wrote on php.net to deal with it:
It will remove all attributes except a href= on an <a> tag.Code:function safeHTML($text) {
$text = stripslashes($text);
$text = strip_tags($text, '<b><i><u><a>');
$text = ereg_replace ("<a[^>]+href *= *([^ ]+)[^>]*>", "<a href=\\1>", $text);
$text = ereg_replace ("<([b|i|u])[^>]*>", "<\\1>", $text);
return $text;
}
that is why htmlspecialchars() is better, you don't have to worry about any html being messed up. it will just show up on the page as normal entities.
But if you want to allow certain tags...Quote:
Originally posted by phpman
that is why htmlspecialchars() is better, you don't have to worry about any html being messed up. it will just show up on the page as normal entities.
Very useful, thanks man! I don't think the style thing will be a really big problem, so I might as well go ahead with this. (I wanted to allow for <b><i> and <u> tags to work, the rest to be disabled).Quote:
Originally posted by The Hobo
There's also the strip_tags() function which removes HTML and PHP tags from a string, unlinke htmlspecialchars() which just makes them viewable.
But the cool thing about strip_tags() is that it lets you specify allowable tags which wont be stripped. So, say you want the user to be able to use <b>, <i>, and <u> (although, I believe <u> is deprecated), then you can do this:
Just thought I'd show you this option.Code:strip_tags($text, "<b><i><u>");
Well, I guess open source isn't as bad as I thought it was :D