Guestbook Question *resolved*

[mendhak]

I've created a guestbook (finally!), and I just noticed that I can even put in HTML tags in there.

Since I'm displaying the guestbook using tables and tds and trs, this means that a user can screw up the whole page by putting in a single </tr> or a </td> in there.

What can I do to prevent such a thing from happening?

[da_silvy]

$text=str_replace("<","&lt;",$text);
$text=str_replace(">","&gt;",$text);

or

$text=str_replace("</tr>","&lt;/tr&gt;",$text);
$text=str_replace("</td>","&lt;/td&gt;",$text);


?

[da_silvy]

or it might be the function

htmlspecialchars($text);

[mendhak]

Yeah, thanks for that.

I have also been trying another thing

it's more of an opinon question thing rather:

WHen they give their email address, should I replace
@ with at
. with dot
?

I tried experimenting with the str_replace like this;

$email = str_replace("@"," at ",$email);
$email = str_replace("."," dot ",$email);

But after doing that, something like [email protected] becomes only:

"whatever "

Why is this?

[da_silvy]

PHP Code:

$email = "[email protected]";
$email = str_replace("@"," at ",$email); 
$email = str_replace("."," dot ",$email); 
echo $email; 


Works for me

[mendhak]

Thank you.

It must have been some weird anomaly here.

[The Hobo]

Originally posted by mendhak
I've created a guestbook (finally!), and I just noticed that I can even put in HTML tags in there.

Since I'm displaying the guestbook using tables and tds and trs, this means that a user can screw up the whole page by putting in a single </tr> or a </td> in there.

What can I do to prevent such a thing from happening?

Originally posted by da_silvy
or it might be the function

htmlspecialchars($text);

There's also the strip_tags() function which removes HTML and PHP tags from a string, unlinke htmlspecialchars() which just makes them viewable.

But the cool thing about strip_tags() is that it lets you specify allowable tags which wont be stripped. So, say you want the user to be able to use <b>, <i>, and <u> (although, I believe <u> is deprecated), then you can do this:

Code:

strip_tags($text, "<b><i><u>");

Just thought I'd show you this option.

[The Hobo]

Although, I should probably note that strip_tags() will not remove attributes to the tags. So if someone sets the font size to be huge in a <b> tag through style=, you're in trouble. onMouseOver and all that, as well.

So I found this code that someone wrote on php.net to deal with it:

Code:

function safeHTML($text) { 
       $text = stripslashes($text); 
       $text = strip_tags($text, '<b><i><u><a>'); 
       $text = ereg_replace ("<a[^>]+href *= *([^ ]+)[^>]*>", "<a href=\\1>", $text); 
       $text = ereg_replace ("<([b|i|u])[^>]*>", "<\\1>", $text); 
       return $text; 
}

It will remove all attributes except a href= on an <a> tag.

[phpman]

that is why htmlspecialchars() is better, you don't have to worry about any html being messed up. it will just show up on the page as normal entities.

[The Hobo]

Originally posted by phpman
that is why htmlspecialchars() is better, you don't have to worry about any html being messed up. it will just show up on the page as normal entities.

But if you want to allow certain tags...

[mendhak]

Originally posted by The Hobo
There's also the strip_tags() function which removes HTML and PHP tags from a string, unlinke htmlspecialchars() which just makes them viewable.

But the cool thing about strip_tags() is that it lets you specify allowable tags which wont be stripped. So, say you want the user to be able to use <b>, <i>, and <u> (although, I believe <u> is deprecated), then you can do this:

Code:

strip_tags($text, "<b><i><u>");

Just thought I'd show you this option.

Very useful, thanks man! I don't think the style thing will be a really big problem, so I might as well go ahead with this. (I wanted to allow for <b><i> and <u> tags to work, the rest to be disabled).

Well, I guess open source isn't as bad as I thought it was