Go Back  HTML Forums - Free Webmaster Forums and Help Forums > WEBSITE DEVELOPMENT > Server Side Programming > PHP Programming
Reload this Page PHP Echo Succurity
User Name:
Password:
 

Reply
Thread Tools   Display Modes
  View First Unread
 
Old 10-23-2009, 09:25 PM
  #1
COnlineMarket
Novice (Level 1)
 
Join Date: Oct 2009
Posts: 4
iTrader: (0)
COnlineMarket is an unknown quantity at this point
Question PHP Echo Succurity
Hello,
I am in the process of making a site where users can enter in text into my database. Then it can be viewed from somewhere on the site.

I have it set up like this.
They enter text into text area.
Then it saves in database
Then users can see it.

Right now if they type in something like "Hello<br> adfad" Then when my website echos the variable out it echos the whole thing and it looks like it would in HTML

But i want it to look exactly like what they typed.

I dont want my users to be able to add their own HTML , just plain text, Because I dont know what sort of damage they can do. and I dont want them to distort the page.

So what I want to know is,

Does anyone have any ideas on how i can make it so that the text entered is outputed as text only?
COnlineMarket is offline   Add to del.icio.us Add to del.icio.us    Can you digg it?Can you digg it? Reply With Quote
Old 10-23-2009, 10:32 PM
  #2
bowrider
Myrmidon (Level 12)
 
bowrider's Avatar
 
Join Date: Sep 2008
Location: florida
Posts: 177
iTrader: (0)
bowrider is an unknown quantity at this point
Hi COnlineMarket
You can use the srip_tags() function to strip html tags from anything the user types in like so,
Code:

	
PHP Code:

	

		
			
$to_post strip_tags($_POST['user_posted_text']; 
As a heads up there are other security measures you will probably want to take but
I will leave that to someone more saavy than I. I don't want to accidentally steer you wrong!

you can read more on this function here.
http://us3.php.net/manual/en/function.strip-tags.php
__________________
Just learnin myself!
bowrider is offline   Add to del.icio.us Add to del.icio.us    Can you digg it?Can you digg it? Reply With Quote
Old 10-24-2009, 08:09 AM
  #3
COnlineMarket
Novice (Level 1)
 
Join Date: Oct 2009
Posts: 4
iTrader: (0)
COnlineMarket is an unknown quantity at this point
Hey thanks, ill give this a try.
COnlineMarket is offline   Add to del.icio.us Add to del.icio.us    Can you digg it?Can you digg it? Reply With Quote
Old 10-25-2009, 05:59 PM
  #4
Vege
Super Deity (Level 18)
 
Join Date: Sep 2004
Location: Finland
Posts: 3,410
iTrader: (0)
Vege is just really niceVege is just really niceVege is just really niceVege is just really nice
example provided by bowrider is little faulty.

If you wan't to display all data like it was provided without change of security breach:
if UTF8 only the magic five needs to be converted (<>&"') to entities:
PHP Code:
echo nl2br(htmlspecialchars($data_from_database_or_from_post)); 
In other popular encodings "all" have to be transformed to entities:
PHP Code:
echo nl2br(htmlentities($data_from_database_or_from_post,ENT_QUOTES)); 
You might wanna add striptags there if you don't wanna see the html tags someone might have tried, but it will not make your output any safer, just might look visually better.

Thou if you use striptags it might remove unwanted data if people insert tags by accident:
Quote:
I used to have <5 childrens, now i have 6>
You need also to take account magic_quotes or ' and " will look like \' and \".
http://www.htmlforums.com/serverside...on-100193.html

Here is a easy cheatsheet of charactes to make sure your displaying the data correctly: &<d>'"€हिन्दी
Last edited by Vege : 10-25-2009 at 06:04 PM.
Vege is offline   Add to del.icio.us Add to del.icio.us    Can you digg it?Can you digg it? Reply With Quote

Reply
« Previous Thread | Next Thread »
KEEP TABS
SPONSORS
 
Boxedart
 
 


 
Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
  
  
 
 



 
  POSTING RULES
 
 
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
vB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Thread Tools
Display Modes
Linear Mode Linear Mode

Forum Jump

 

All times are GMT -5. The time now is 06:40 PM.
   
Network Sites: Web Tools and Resources | Web Templates | Free Webmaster Resources | Free JavaScripts | Free Clip Art | Clipart Resources |
Turnkey Website Templates | Free Fonts | HTML Help | Stock Photos | Quality Hosting | Learn Perl and CGI | Top Web Hosts | CMS Templates

Partner Sites: Free Web Templates | Webmaster Resources | Javascripts | Stock Photos | DHTML Scripts | Create a free forum | Web Hosting Reviews |Web Hosting
| Unlimited Domain Hosting

Mascot team created by Drawshop.com

Powered by vBulletin® Version 3.6.7
Copyright ©2000 - 2009, Jelsoft Enterprises Ltd.

Server Monitoring by ENIACmonitor 0.01
HTMLforums.com © Big Resources, Inc. Web Design by BoxedArt.com
vRewrite 1.5 beta SEOed URLs completed by Tech Help Forum and Chalo Na.