Allowing comments on website... how should I validate/filter the input... ?

[cgm225]

I want to allow users to leave comments on my website, and allow BBC in the comments.  First, what actions should I be doing on the user provided data (i.e. the comment) to make sure its safe before I store it in my database and then for query when I display it on the website?  Restated, how should I be filtering and/or validating the comment data?  Also, how do I transform BBC into actual HTML elements when I output it to the website?

[Lodius2000]

Also, how do I transform BBC into actual HTML elements when I output it to the website?

 

us str_replace() with an array of bbc and an array of html, then input the comment string

[cgm225]

Are there BBC/HTML arrays already available out there somewhere?

[xoligy]

this is my version of bbc that i found on the net

 

check here it comes out better: http://pastebin.com/m2cfdfe16

[Lodius2000]

so i assume you are running a strip_tags on the raw comment, incase someone does want to slip some html in there, that will leave you with just bbc, now make yourself a quick array of what you want to allow in your bbc like this

 

$bbc = array("[b]", "[i]", "[h1]"); // add closing tags too

then a replace with array

$html  = array("<b>", "<i>", "<h1>");

then

$html_comment = str_replace($bbc, $html, $comment);

now if somebody puts valid (meaning in your $bbc array) bbc in their comment then it replaces it, if it is invalid it stays as bbc and is displayed on the web as such,

 

html would look like this

<b>I think this is </b> [bad bbc]

and print in the comment like:

I think this is [bad bbc]

 

[xoligy]

Just updated mine to add the smiles as mine was in a function called replace. To use the bbc you'd use something like below

$txt = $row['post']; //where post is your comment
$txt = replace($txt);