PDA

View Full Version : How can I keep a user from entering HTML into a text field


woofy
11-17-2009, 05:53 AM
I want to prevent anyone from entering HTML into the text field on a basic form... Any suggestions?

edbr
11-17-2009, 05:58 AM
what does the form do , meaning is this handled with php for mail or entering into a database?

Corrosive
11-17-2009, 07:04 AM
make it a hidden field?

domedia
11-17-2009, 03:54 PM
you can allow it and then strip all the HTML off before you do anything with the data.
In PHP there's a function called 'strip_tags'.

woofy
11-17-2009, 04:11 PM
The form is entered into a database. Then it is displayed on the members page under a comments section.

domedia
11-17-2009, 04:14 PM
The form is entered into a database. Then it is displayed on the members page under a comments section.
Doesn't matter. Strip the tags before you put into the DB.

woofy
11-17-2009, 05:00 PM
OK so I put the strip tag function right into the text area where the user enters the comments and it doesn't work, where exactly do I need to place the function. Right now I have...


<textarea name="commentsbox" id="commentsbox" cols="45" rows="5"><?php
echo strip_tags("this is the content area");
?> </textarea>

domedia
11-17-2009, 06:10 PM
uhm.. no :)
That will not work, just use it where you insert your stuff into the DB, given that you use PHP for this.
But I think it might be a little over you based on the attempt you did.

Anyways, if you post your PHP script, if you use one, I'm sure someone can help with where you strip the tags.

woofy
11-17-2009, 06:30 PM
Yah I figure I was way off there... I am using a program called data-assit to upload the data into the database... here's what the script looks like that the program generates. The exact comment area is in bold.

<?php
// WA Application Builder Insert
if (isset($_POST["submit"])) // Trigger
{
$WA_connection = $con2com;
$WA_table = "comments";
$WA_sessionName = "comments_ID";
$WA_redirectURL = "../messagesent.php";
$WA_keepQueryString = true;
$WA_indexField = "ID";
$WA_fieldNamesStr = "USERNAME|COMMENTER|PAGE|COMMENTS|USERIDENT|COMMIDE NT";
$WA_fieldValuesStr = "".$row_Recordset1['username'] ."" . "|" . "".((isset($_POST["COMMENTORNAME"]))?$_POST["COMMENTORNAME"]:"") ."" . "|" . "".((isset($_POST["website"]))?$_POST["website"]:"") ."" . "|" . "".((isset($_POST["commentsbox"]))?$_POST["commentsbox"]:"") ."" . "|" . "".$row_Recordset1['ID'] ."" . "|" . "".((isset($_POST["ICON"]))?$_POST["ICON"]:"") ."";
$WA_columnTypesStr = "',none,''|',none,''|',none,''|',none,''|',none,''| ',none,''";
$WA_fieldNames = explode("|", $WA_fieldNamesStr);
$WA_fieldValues = explode("|", $WA_fieldValuesStr);
$WA_columns = explode("|", $WA_columnTypesStr);
$WA_connectionDB = $database_con2com;
mysql_select_db($WA_connectionDB, $WA_connection);
if (!session_id()) session_start();
$insertParamsObj = WA_AB_generateInsertParams($WA_fieldNames, $WA_columns, $WA_fieldValues, -1);
$WA_Sql = "INSERT INTO `" . $WA_table . "` (" . $insertParamsObj->WA_tableValues . ") VALUES (" . $insertParamsObj->WA_dbValues . ")";
$MM_editCmd = mysql_query($WA_Sql, $WA_connection) or die(mysql_error());
$_SESSION[$WA_sessionName] = mysql_insert_id();
if ($WA_redirectURL != "") {
if ($WA_keepQueryString && $WA_redirectURL != "" && isset($_SERVER["QUERY_STRING"]) && $_SERVER["QUERY_STRING"] !== "" && sizeof($_POST) > 0) {
$WA_redirectURL .= ((strpos($WA_redirectURL, '?') === false)?"?":"&").$_SERVER["QUERY_STRING"];
}
header("Location: ".$WA_redirectURL);
}
}
?>[/quote]

domedia
11-17-2009, 07:13 PM
Moving to PHP so you can get some help

edbr
11-18-2009, 01:11 AM
you could try to sanitise first, bfore the scrip runs maybe as in
$_POST["commentsbox"]=strip_tags($_POST["commentsbox"]):
i havent tested this but it shouldnt affect the script integrity , or at least is easy to remove if it dos

woofy
11-18-2009, 08:30 PM
This has helped resolve it. The final code is below and works.

((isset($_POST["commentsbox"]))?(strip_tags($_POST["commentsbox"])):"")

woofy
04-18-2011, 08:38 PM
This is an old topic that I am revisiting- how can I modify the code above to keep out CERTAIN tags only, such as images and scripts and allow the rest, such as hyperlinks ect?