yungbloodreborn

Perfect! just what I needed,and I didn't even have to ask... :) -YB

I'm already using sessions. This is in a members only section. I understand how to add stuff like editing. I simply don't want to allow raw html code being entered in from the user. I don't want the possibility of users adding malicous code, i.e. scripts and the like.

*bump* *nudge* *tap*

I'm sure that's possible, I've nested function calls like that before in PHP. But I fail to see the reason for putting addslashes in a stripslashes call with nothing in between. -YB

Don't worry about the quote issue I was having. I fixed that with a combination of addslashes & stripslashes. addslashes in the file that writes the messagefile, and stripslashes in the files that read the messages. -YB

First, I'd like to thank the ones that have helped me on myother 2 questions. I am very impressed with this site. My basic problem is this, I need a way of filtering out html and scripting languages. It's for a message board script, and I don't want anyone to be able to cause problems with the site. I don't want people to be able to insert javascript, or the like. So how do I filter that out? (More detail below) Ok, with the project I'm working on, I have it technically working, it just has a security flaw I need help eliminating. I'm working on writing a simple message board. It doesn't sort by thread, or anything fancy like that. I have the messages stored as php files with 3 vars: $username $subject and $message. They are named like "1.php" - "1000.php", or however many there are. So the files look like this: [code] <?php $username = "yungbloodreborn"; $subject = "Test"; $message = "Hi, this is a test message... I hope it works..."; ?> [/code] then I have one file "count.php" that has the number of the last message entered in it. [code] <?php $count = 5; ?> [/code] That way my message index page simply starts at $count and counts down, and includes each message file to get it's $username & $subject. I have another page that just includes the one message file that you want to read, and displays all 3 vars. I already wrote the script that writes the message files & updates the count file. It's all working as it should. The piece that needs to be secured is the part that takes the info from the forms, and writes it to the file.  If I try to put in a quote mark, it think's it's closing the string. Also, I need to make sure that users can't enter any php (or other script) code. I don't care if users can enter actual html for links/images or other formating. I just don't want them to be able to hack my site with malicous code in a message. I've skimmed over the bbPHP code, and saw how to turn custom tags into html, I can make that work. But I haven't found anything that will strip out any scripting, or deal with qoutes.

To give a better idea what I'm trying to do, I'm creating a message board. The files in the dir I'm reading from are numbered 1 through $count.  i.e. 1.php, 2.php, 3.php, etc...each one is a message. Is there an easy way to make sure that $_GET['msg'] is a number between 1 and $count so I can be sure they aren't passing anything they shouldn't?

I know it's insecure to read a file based on a user input. But what about something like this? Is this secure enough to trust?  I think my server is also using open_base. [code]include 'dir/'.$_get['msg'].'.php';[/code]