Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 7 years ago.
Improve this question
I have a form with a text field a user can edit, which will create a page on the website containing the text entered. How can I ensure the resulting page doesn't show anything malicious, no links, images or code, just raw text? Currently from php I'm using htmlspecialchars(), and when displaying the text on the page it's within xmp tags. Is that enough, or should I explicitly do things like validating against script tags etc?
edit: This question is different to the suggested question, because I'm not using sql.
edit 2: I accepted strip_tags. I'm now validating user input from php with htmlspecialchars(strip_tags("input")), and wrapping in xmp tags when displayed.
You can use strip_tags - it will remove everything in tags. http://php.net/manual/en/function.strip-tags.php
First of all: use prepared statments for your database storing, updating etc etc...
Second: You should escape the output using htmlspecialchars() function, It will just convert special characters to HTML entities, so if you put a script tag in there, It will not run.
Unless you want your users to post code just like here in StackOverflow, you can just use strip_tags() function as #user2182349 pointed out.
Related
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 5 years ago.
Improve this question
I want to get all the visible text from a url. I need to clear all html code and get plain text.
The process does not have to be perfect, but I would like the text to be as clean as possible.
Do you know any way to make it relatively simple?
Thanks!
Javi.
Have a look at strip_tags function.
strip_tags — Strip HTML and PHP tags from a string
It may do the job.
You can get url the value of the query string using $_GET['the names in there']. and use strip_tags to get only the text.
function get_url(){ return $_GET['name userd'];}
and use something like this
Closed. This question needs details or clarity. It is not currently accepting answers.
Want to improve this question? Add details and clarify the problem by editing this post.
Closed 6 years ago.
Improve this question
I have an input named comment. User writes his comment into it and sends it under a post. Something like StackOverflow's comments:
As you see, there is a <a> tag into new comment. And it will be stored in the database like this:
And when I fetch it again, it breaks the HTML of my website:
I mean everything after that <a> will be a link. I don't want that. How can I prevent that happening?
If you wish to store no tag, then use strip_tags and if you still wish to have mark-up then use something like Parsedown.
Example
$string = '<b>Hello,<> please remove the <> tags.</b>';
echo strip_tags($string);
Output
Hello, please remove the tags.
Update
What you are actually looking for is htmlspecialchars.
<?php
$str = 'Hello blah.';
echo htmlspecialchars($str, ENT_QUOTES);
?>
Output
Hello blah.
You can use what some plugins does on wordpress they change the < and > for [ and ].
To prevent code injection I recomend replacing only the following tags
<p></p><ul></ul><li></li><a></a>
This is done vía javascript in client side and sent to server vía ajax:
$("yourtag").replace(/</g, "[").replace(/>/g, "]").replace(/"/g, "'").replace(/ /g, "andnbsp");
If you are using php to retreive data from the DB, you need to use strreplace on the column where the html is stored, to change [] with <>, in this way your code will not be break
Keep in mind to only allow the tags you want as allowing all kinds of tags open the door to an out security, this is donde on server side languaje.
Hope this is helpful...
Closed. This question needs details or clarity. It is not currently accepting answers.
Want to improve this question? Add details and clarify the problem by editing this post.
Closed 6 years ago.
Improve this question
I'm developing a Blog, and I want to give some Style to the content of Every post body.
I'm storaging each post with a form into my data base, and then retrieving it into the blog.
My form has Title, Date and Body.
What I need is to retrieve the body, and separate the paragraphs, quotes, and whatever I want to.
My idea was to add characters in the body like % or & (% mean paragraph, and & quote for example), so the I can use explote function.
Is there a simpler way?
You'd honestly be so much better to store your post's content as HTML and simply output that.
You'll have to implement security yourself but this could be as simple as using the strip_tags() function - example:
$post_body = strip_tags($_POST['body'], '<p><strong><em><span><a><blockquote>');
This would simply strip all HTML tags other than <p>, <strong>, <em>, <span>, <a> and <blockquote>. That should prevent any issues with malicious users inserting Javascript code etc.
Hope that helps!
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 7 years ago.
Improve this question
I am working on a form completion view that needs to be easily copied. One of the inputs is a that displays multiple lines. So person can type out something that looks like this.
Dear Bob,
I am here to do this.
Thank you
SirRahal
I then take that data and store it into a database as varchar(1500) latin1_swedish_ci. The issue is that when I try to display this data in anything other than a it combines all the lines into 1. Example the not above would display like this:
Blockquote
Dear Bob, I am here to do this. Thank you SirRahal
The reason why I can't use a textarea to display it is because it doesn't copy and paste friendly.
Questions:
1) Is there another way of displaying this correctly?
2) Are there hidden characters in the string that I can use to identify in php and parse the text?
This code does work but I can't use a textarea:
<textarea>
<?php echo $model->description;?>
</textarea>
I believe you need to add nl2br when you output, e.g.
<?php echo nl2br($model->description);?>
Use CSS, and set white-space: pre on the container of the text.
Closed. This question is opinion-based. It is not currently accepting answers.
Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.
Closed 1 year ago.
Improve this question
I have a javascript-based rich text editor.
What is the safest way to save the tags it generates?
I'm using MySQL as my database.
I'm not sure if using mysql_real_escape_string($text); is safe.
I can't think of a reason to use htmlentities here. mysql_real_escape_string is vital here because it prevents people from injecting malicious SQL code like ';DROP * FROM table foo;-- into you database. I'd try it without htmlentities, if you find that you need to convert to entities then you could try htmlspecialchars instead which only converts special characters.
If you want to limit the allowed HTML in your form you might also want to look into the strip_tags function.
Relevant documentation:
http://us2.php.net/manual/en/function.htmlentities.php
http://us2.php.net/manual/en/function.htmlspecialchars.php
Good luck
I'd recommend that you use mysqli to interface with the database, that way you don't need to escape data and get a complete protection against SQL injections. You may of course still need to protect against HTML injections.
You do not need to write the string of text to a JavaScript file. If you need it to be handled by JavaScript I suggest that you fetch the data using an XMLHttpRequest (which contrary to what the name suggests does not require your data to be in XML form).