View Full Version : How can I keep a user from entering HTML into a text field

11-17-2009, 04:53 AM
I want to prevent anyone from entering HTML into the text field on a basic form... Any suggestions?

11-17-2009, 04:58 AM
what does the form do , meaning is this handled with php for mail or entering into a database?

11-17-2009, 06:04 AM
make it a hidden field?

11-17-2009, 02:54 PM
you can allow it and then strip all the HTML off before you do anything with the data.
In PHP there's a function called 'strip_tags'.

11-17-2009, 03:11 PM
The form is entered into a database. Then it is displayed on the members page under a comments section.

11-17-2009, 03:14 PM
The form is entered into a database. Then it is displayed on the members page under a comments section.
Doesn't matter. Strip the tags before you put into the DB.

11-17-2009, 04:00 PM
OK so I put the strip tag function right into the text area where the user enters the comments and it doesn't work, where exactly do I need to place the function. Right now I have...

<textarea name="commentsbox" id="commentsbox" cols="45" rows="5"><?php
echo strip_tags("this is the content area");
?> </textarea>

11-17-2009, 05:10 PM
uhm.. no :)
That will not work, just use it where you insert your stuff into the DB, given that you use PHP for this.
But I think it might be a little over you based on the attempt you did.

Anyways, if you post your PHP script, if you use one, I'm sure someone can help with where you strip the tags.

11-17-2009, 05:30 PM
Yah I figure I was way off there... I am using a program called data-assit to upload the data into the database... here's what the script looks like that the program generates. The exact comment area is in bold.

// WA Application Builder Insert
if (isset($_POST["submit"])) // Trigger
$WA_connection = $con2com;
$WA_table = "comments";
$WA_sessionName = "comments_ID";
$WA_redirectURL = "../messagesent.php";
$WA_keepQueryString = true;
$WA_indexField = "ID";
$WA_fieldValuesStr = "".$row_Recordset1['username'] ."" . "|" . "".((isset($_POST["COMMENTORNAME"]))?$_POST["COMMENTORNAME"]:"") ."" . "|" . "".((isset($_POST["website"]))?$_POST["website"]:"") ."" . "|" . "".((isset($_POST["commentsbox"]))?$_POST["commentsbox"]:"") ."" . "|" . "".$row_Recordset1['ID'] ."" . "|" . "".((isset($_POST["ICON"]))?$_POST["ICON"]:"") ."";
$WA_columnTypesStr = "',none,''|',none,''|',none,''|',none,''|',none,''| ',none,''";
$WA_fieldNames = explode("|", $WA_fieldNamesStr);
$WA_fieldValues = explode("|", $WA_fieldValuesStr);
$WA_columns = explode("|", $WA_columnTypesStr);
$WA_connectionDB = $database_con2com;
mysql_select_db($WA_connectionDB, $WA_connection);
if (!session_id()) session_start();
$insertParamsObj = WA_AB_generateInsertParams($WA_fieldNames, $WA_columns, $WA_fieldValues, -1);
$WA_Sql = "INSERT INTO `" . $WA_table . "` (" . $insertParamsObj->WA_tableValues . ") VALUES (" . $insertParamsObj->WA_dbValues . ")";
$MM_editCmd = mysql_query($WA_Sql, $WA_connection) or die(mysql_error());
$_SESSION[$WA_sessionName] = mysql_insert_id();
if ($WA_redirectURL != "") {
if ($WA_keepQueryString && $WA_redirectURL != "" && isset($_SERVER["QUERY_STRING"]) && $_SERVER["QUERY_STRING"] !== "" && sizeof($_POST) > 0) {
$WA_redirectURL .= ((strpos($WA_redirectURL, '?') === false)?"?":"&").$_SERVER["QUERY_STRING"];
header("Location: ".$WA_redirectURL);

11-17-2009, 06:13 PM
Moving to PHP so you can get some help

11-18-2009, 12:11 AM
you could try to sanitise first, bfore the scrip runs maybe as in
i havent tested this but it shouldnt affect the script integrity , or at least is easy to remove if it dos

11-18-2009, 07:30 PM
This has helped resolve it. The final code is below and works.


04-18-2011, 07:38 PM
This is an old topic that I am revisiting- how can I modify the code above to keep out CERTAIN tags only, such as images and scripts and allow the rest, such as hyperlinks ect?