Ok My shoutBox Is In Secure and people can submit scripts and hack my box

[scheols]

can anyone tell me how i could replace the > and < tag letters with str_replace


ive tryed replacing it but i can get it can someone edit this and fix it would be a much help

[code]
<?php
if($entrytext){
$post="<";
$old="<";
$new="&lt;";
echo str_replace($old,$new,$post);
}
?>
<?php
mysql_connect("localhost","scheols_myblog","mypassword");
mysql_select_db("scheols_myblog");
$query ="SELECT entrytitle, entrytext FROM myblog ORDER BY entrydate DESC LIMIT 10";
$result=mysql_query($query) or die(mysql_error());
while (list($entrytitle,$entrytext,$entrydate) =
mysql_fetch_row($result)) {
echo "<dt><b>$entrytitle Says: $entrydate</b></dt>";
echo "<dd>$entrytext</dd>";
  }
?>


<H1>Add an Entry</H1>
<form method="POST" action="addintry.php">
<b>Name:</b><br>
<input type="text" name="entrytitle"><br>
<b>Post Your Entry:</b><br>
<textarea cols="60" rows="6" name="entrytext">
</textarea>
<input type="submit" name="submit" value="Submit">
</form>
</dl>

</body>
</html>
[/code]

[Kurt]

Use the htmlentities() function which replaces all html special characters with their non-harmful entity equivalent.

[scheols]

how can i get it 2 work with my form -_-

[Kurt]

[quote author=scheols link=topic=99921.msg393806#msg393806 date=1152408802]
how can i get it 2 work with my form -_-
[/quote]
You coded all that but you don't know how to add the htmlentities() function? Anyways, replace these two lines:

[code]
echo "<dt><b>$entrytitle Says: $entrydate</b></dt>";
echo "<dd>$entrytext</dd>";
[/code]

with:

[code]
echo '<dt><b>'.htmlentities($entrytitle).' Says: '.$entrydate.'</b></dt>';
echo '<dd>'.htmlentities($entrytext).'</dd>';
[/code]

[scheols]

works nicly thanks sorry im still a noob this took me all day 2 get working.