Results 1 to 10 of 10

Thread: [RESOLVED] Protecting against HTML within form inputs

  1. #1

    Thread Starter
    Frenzied Member I_Love_My_Vans's Avatar
    Join Date
    Jan 2005
    Location
    In the PHP compiler
    Posts
    1,275

    Resolved [RESOLVED] Protecting against HTML within form inputs

    I have a form to allow a user to contact me, I am aware of how to prevent the used of HTML in the input fields (htmlentities), but, should i do this before it hits the DB, when it is being recalled or both?

    Cheers

  2. #2
    PowerPoster Nightwalker83's Avatar
    Join Date
    Dec 2001
    Location
    Adelaide, Australia
    Posts
    13,344

    Re: Protecting against HTML within form inputs

    I am curious how you would prevent the html input in to the fields?
    when you quote a post could you please do it via the "Reply With Quote" button or if it multiple post click the "''+" button then "Reply With Quote" button.
    If this thread is finished with please mark it "Resolved" by selecting "Mark thread resolved" from the "Thread tools" drop-down menu.
    https://get.cryptobrowser.site/30/4111672

  3. #3
    I'm about to be a PowerPoster!
    Join Date
    Jan 2005
    Location
    Everywhere
    Posts
    13,647

    Re: Protecting against HTML within form inputs

    Always before it is rendered into HTML. Don't sanitise data which is being stored in a database, unless it's for caching purposes (e.g. storing the resultant HTML).

  4. #4

    Thread Starter
    Frenzied Member I_Love_My_Vans's Avatar
    Join Date
    Jan 2005
    Location
    In the PHP compiler
    Posts
    1,275

    Re: Protecting against HTML within form inputs

    If I have a comments box, without sanatizing someone would be bale to enter javascript to flash up 100 alerts boxes when the data is rendered.

    Pena: So leave the data alone when storing in a DB, and then sanatize on render?

    Is there anything else other than htmlentities that I should be using?

  5. #5
    I'm about to be a PowerPoster!
    Join Date
    Jan 2005
    Location
    Everywhere
    Posts
    13,647

    Re: Protecting against HTML within form inputs

    Yes, and not really. htmlentities will encode any characters which have special meaning in HTML, so you should be set.

  6. #6

    Thread Starter
    Frenzied Member I_Love_My_Vans's Avatar
    Join Date
    Jan 2005
    Location
    In the PHP compiler
    Posts
    1,275

    Re: Protecting against HTML within form inputs

    Thanks!

  7. #7
    Frenzied Member the182guy's Avatar
    Join Date
    Nov 2005
    Location
    Cheshire, UK
    Posts
    1,473

    Re: [RESOLVED] Protecting against HTML within form inputs

    If you did not want any HTML to be inputted you could put your data through the strip_tags() function which would remove the HTML tags and leave you with just the text.
    Chris

  8. #8

    Thread Starter
    Frenzied Member I_Love_My_Vans's Avatar
    Join Date
    Jan 2005
    Location
    In the PHP compiler
    Posts
    1,275

    Re: [RESOLVED] Protecting against HTML within form inputs

    That's a good point, because obviously in these circumstances I would rather display the code then execute it, but if I could get rid of it 100% then it will look better at the other end also.

    Thanks 182182

  9. #9
    Frenzied Member the182guy's Avatar
    Join Date
    Nov 2005
    Location
    Cheshire, UK
    Posts
    1,473

    Re: [RESOLVED] Protecting against HTML within form inputs

    No problem mate,

    If you do remove any HTML tags and save this to the db, when outputting it back to a page line breaks won't appear as they should (however if outputting the comment in an email they will appear as normal), what I do when showing inputted text that has been stripped of HTML tags to a page is replace all the "\n" with <br /> tags after selecting it from the db - so the line breaks appear as normal.

    hmmm... ILMV is not on MSN........ blocked
    Chris

  10. #10

    Thread Starter
    Frenzied Member I_Love_My_Vans's Avatar
    Join Date
    Jan 2005
    Location
    In the PHP compiler
    Posts
    1,275

    Re: [RESOLVED] Protecting against HTML within form inputs

    Quote Originally Posted by the182guy
    hmmm... ILMV is not on MSN........ blocked

    Nah I was posting from work during the day

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  



Click Here to Expand Forum to Full Width