Taxa Posted June 2, 2008 Share Posted June 2, 2008 I am designing a website where the user, like this forum, can place comments, blog and customise with html etc. Each comment is stored in a table and stores all the writing that the user typed in. Now, I realised, that the user can easily type php and send queries to the server as well as use tags to screw around with the website layout. For example: When someone gets a users message, the message is within a table square. The message, how ever, can use tags like </table> to make the message outside of the table, and type various other commands, screwing around with the layout of the site. How should I go about preventing this problem, but still allow the users full HTML customisation (similar to my space), but restrict them from screwing around with the site? Link to comment https://forums.phpfreaks.com/topic/108302-preventing-php-execution-and-restricted-html/ Share on other sites More sharing options...
tjmbc Posted June 2, 2008 Share Posted June 2, 2008 Use strip_tags() with exceptions. strip_tags( $_POST['variable'], '<p>' ) This will allow the user to use the <p> tag. Replace the <p> with whatever tag you don't want stripped or allow multiple tags with '<p>,<a>'. You should also notice that you don't have to include the closing tag in the exception. Link to comment https://forums.phpfreaks.com/topic/108302-preventing-php-execution-and-restricted-html/#findComment-555263 Share on other sites More sharing options...
Taxa Posted June 2, 2008 Author Share Posted June 2, 2008 Thanks! is this a php function? Link to comment https://forums.phpfreaks.com/topic/108302-preventing-php-execution-and-restricted-html/#findComment-555289 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.