|
-
Oct 26th, 2008, 06:33 PM
#1
Thread Starter
Frenzied Member
[RESOLVED] Protecting against HTML within form inputs
I have a form to allow a user to contact me, I am aware of how to prevent the used of HTML in the input fields (htmlentities), but, should i do this before it hits the DB, when it is being recalled or both?
Cheers
-
Oct 26th, 2008, 09:09 PM
#2
Re: Protecting against HTML within form inputs
I am curious how you would prevent the html input in to the fields?
when you quote a post could you please do it via the "Reply With Quote" button or if it multiple post click the "''+" button then "Reply With Quote" button.
If this thread is finished with please mark it "Resolved" by selecting "Mark thread resolved" from the "Thread tools" drop-down menu.
https://get.cryptobrowser.site/30/4111672
-
Oct 26th, 2008, 09:34 PM
#3
Re: Protecting against HTML within form inputs
Always before it is rendered into HTML. Don't sanitise data which is being stored in a database, unless it's for caching purposes (e.g. storing the resultant HTML).
-
Oct 27th, 2008, 02:28 AM
#4
Thread Starter
Frenzied Member
Re: Protecting against HTML within form inputs
If I have a comments box, without sanatizing someone would be bale to enter javascript to flash up 100 alerts boxes when the data is rendered.
Pena: So leave the data alone when storing in a DB, and then sanatize on render?
Is there anything else other than htmlentities that I should be using?
-
Oct 27th, 2008, 02:53 AM
#5
Re: Protecting against HTML within form inputs
Yes, and not really. htmlentities will encode any characters which have special meaning in HTML, so you should be set.
-
Oct 27th, 2008, 03:37 AM
#6
Thread Starter
Frenzied Member
Re: Protecting against HTML within form inputs
Thanks!
-
Oct 27th, 2008, 11:20 AM
#7
Re: [RESOLVED] Protecting against HTML within form inputs
If you did not want any HTML to be inputted you could put your data through the strip_tags() function which would remove the HTML tags and leave you with just the text.
-
Oct 27th, 2008, 11:23 AM
#8
Thread Starter
Frenzied Member
Re: [RESOLVED] Protecting against HTML within form inputs
That's a good point, because obviously in these circumstances I would rather display the code then execute it, but if I could get rid of it 100% then it will look better at the other end also.
Thanks 182182
-
Oct 27th, 2008, 11:50 AM
#9
Re: [RESOLVED] Protecting against HTML within form inputs
No problem mate,
If you do remove any HTML tags and save this to the db, when outputting it back to a page line breaks won't appear as they should (however if outputting the comment in an email they will appear as normal), what I do when showing inputted text that has been stripped of HTML tags to a page is replace all the "\n" with <br /> tags after selecting it from the db - so the line breaks appear as normal.
hmmm... ILMV is not on MSN........ blocked
-
Oct 27th, 2008, 06:36 PM
#10
Thread Starter
Frenzied Member
Re: [RESOLVED] Protecting against HTML within form inputs
 Originally Posted by the182guy
hmmm... ILMV is not on MSN........ blocked 
Nah I was posting from work during the day
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
Click Here to Expand Forum to Full Width
|