6 replies to this topic

[jjb123]

Hi everyone, first off I want to say I am new here although I have been using your tutorials for a long time.

I have a small tutorial submission script on my website and often tutorial have < and > in them. This, of course, gets parsed as html when the tutorial is displayed and messes up my layout. Is there any way to check the input from a textarea with php and change all the < and > to &lt; and &rt; respectivatly within a certain div (a div used for just formatting the code) or is there any other way to achieve what I am trying to do? Thank you.

- jjb123

[Hayden]

check out htmlspecialchars()


also search P2L and Google for ideas on 'Sanitizing user input', I always put 'PHP' at the end of my search for Google so it knows I want anything related to PHP.

Edited by SpatialVisionary, 02 February 2007 - 11:06 PM.

[jjb123]

Thank you for posting that link for the htmlspecialchars, that will help a lot. I tried searching for what you said and all I found were pages of links for protecting from sql injection, nothing about what I want to do. Mabey I can use something like the bbcode system where [ code ] and [/ code] signifies the start and end of code. Does anyone know how this is done?

[Demonslay]

Take a gander at this topic that I remember helped me a ton when I was first learning how to create 'BBCode'. The mystery of using the secret 'code' tags have been revealed!

http://www.pixel2lif...showtopic=21900

[blacky]

jjb123, on Feb 3 2007, 06:03 AM, said:

I tried searching for what you said and all I found were pages of links for protecting from sql injection

i think you found what he wanted you to. if users can submit their own data and have it parse as html ( or... anything they want.. ), well... do i have to tell you what can happen?

[jjb123]

That helped a little but I am still confused on how to actually find the bbcode code tags and replace all html things in it with entities. That tutorial just showed how to ignore other bbcode tags, not convert html tags to anything. What should I do? I can't just change all the < and > in the inputed information to entities because there are some div and br's in the text being inputed that need to be rendered.

Edited by jjb123, 03 February 2007 - 08:33 PM.

[Demonslay]

jjb123, on Feb 3 2007, 08:03 AM, said:

Mabey I can use something like the bbcode system where [ code ] and [/ code] signifies the start and end of code. Does anyone know how this is done?

Just was giving you what you were asking for.

Now as for what you are asking now requires a bit more problem solving and logic.
Before that you could always go easy and just use strip_tags() and use the second parameter to give it what tags to ignore.

You may want to use that function in your first step anyways, to atleast prevent any <object>, <frame>, <iframe>, or <script> tags that users can use to do damage to your site.


Since you want the user to still be able to use full-fledged HTML, especially ones like <div> and other nesting elements, you'll need to find an iterating function that will auto-close all tags to make sure nothing will screw your site layout.
I typically find alot of them on the PHP site under the comments of preg_match_all(), such as this one.
That should keep your site safe and still provide HTML usage for your tutorial users.

Edited by Demonslay, 03 February 2007 - 09:57 PM.