limitphp Posted January 26, 2009 Share Posted January 26, 2009 In my register.php page and other pages that use textboxes where users input things, I run all user input through this: example) $securityAnswer = check_input($_POST['securityAnswer']); function check_input($value) { // Stripslashes if (get_magic_quotes_gpc()) { $value = stripslashes($value); } $value = mysql_real_escape_string($value); return $value; } I then show the value they typed in the textbox. So, if they didn't make username long enough, etc, etc, they don't have to retype everything. In this case, I put the $securityAnswer value into the textbox, that way they don't have to retype it if some other thing was messed up (password not long enough, etc). My problem is this, if they type '> inside of the securityAnswer textbox, it messes up my page when it tries to display it, it shows: ' STYLE='background-color:#ffffbb'> after the textbox, because my page now thinks that ' STYLE='background-color:#ffffbb'> is text. As you can see, I'm running the mysql_real_escape_string, I thought this protects against that sort of thing? How can I protect against this? thanks Link to comment https://forums.phpfreaks.com/topic/142509-solved-protect-against-html-showing/ Share on other sites More sharing options...
rhodesa Posted January 26, 2009 Share Posted January 26, 2009 htmlspecialchars() print '<input type="text" name="foobar" value="'.htmlspecialchars($value).'" />'; Link to comment https://forums.phpfreaks.com/topic/142509-solved-protect-against-html-showing/#findComment-746768 Share on other sites More sharing options...
limitphp Posted January 26, 2009 Author Share Posted January 26, 2009 htmlspecialchars() value="'.htmlspecialchars($value).'" Do I need that dot in front of htmlspecialchars? Also, should I just replace those characters with nothing and not even allow them? Link to comment https://forums.phpfreaks.com/topic/142509-solved-protect-against-html-showing/#findComment-746771 Share on other sites More sharing options...
rhodesa Posted January 26, 2009 Share Posted January 26, 2009 the dot concatenates the literal string with the function....so yes you don't need to replace anything...you shouldn't even run it through mysql_real_escape_string() before hand. just use htmlspecialchars() and it will encode any characters that need to be encoded for displaying. Link to comment https://forums.phpfreaks.com/topic/142509-solved-protect-against-html-showing/#findComment-746776 Share on other sites More sharing options...
limitphp Posted January 26, 2009 Author Share Posted January 26, 2009 the dot concatenates the literal string with the function....so yes you don't need to replace anything...you shouldn't even run it through mysql_real_escape_string() before hand. just use htmlspecialchars() and it will encode any characters that need to be encoded for displaying. oh yeah, sorry...I should have known about the dot..... doesn't the mysql_real_escape_string keep them from injecting something in your sql statements? Link to comment https://forums.phpfreaks.com/topic/142509-solved-protect-against-html-showing/#findComment-746794 Share on other sites More sharing options...
rhodesa Posted January 26, 2009 Share Posted January 26, 2009 yes...and it should be used for that...but you are taking a value, and displaying it back in a form...there is no SQL there edit: for example, if i submit the value Bob's Auto Garage but missed another field, when you run it through mysql_real_escape_string() and echo it back to the form it will be: Bob\'s Auto Garage which is not what you want Link to comment https://forums.phpfreaks.com/topic/142509-solved-protect-against-html-showing/#findComment-746799 Share on other sites More sharing options...
limitphp Posted January 26, 2009 Author Share Posted January 26, 2009 I see. Thank you. Link to comment https://forums.phpfreaks.com/topic/142509-solved-protect-against-html-showing/#findComment-746801 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.