Outputting User Input

[N-Bomb(Nerd)]

I've always made private scripts that only I've used, so I never really worried about security. However, I'm now making a script for a friends website, and I'm trying to figure out how to display user input properly so they aren't able to use some kind of code in the input field and have that executed.

 

How would one go about displaying this input without having malicious code ran?

 

Thanks,

 

[laffin]

use validation routines

preg_match works good here

 

if u expect an email addy, than use a pattern for email addresses

if u expect a name, than use a pattern that just accepts spaces and alpha characters

if u expect a number, than ....

....

 

when it comes to free form input boxes, such as comments

 

than use html_entities or similar functions, which will replace html tags with their meta character equivalents.

 

and if yer putting this into a mysql database.

remember to use mysql_real_escape_string

 

[N-Bomb(Nerd)]

There isn't any way to actually display the input without changing it, and keeping it from executing? For example if someone puts for their name <b>HEY</B>.. I want it to show up as "<B>HEY</B>".

 

Thanks

[laffin]

than use html_entities or similar functions, which will replace html tags with their meta character equivalents.

 

<B> with html_entities wud produce <B>

 

but if this is going into a db, remember the mysql_escape_string

[N-Bomb(Nerd)]

than use html_entities or similar functions, which will replace html tags with their meta character equivalents.

 

<B> with html_entities wud produce <B>

 

but if this is going into a db, remember the mysql_escape_string

 

But I don't want to produce "<B>" in the output, I actually want it to show as "<B>HEY</B>".. just not execute and make the word HEY bold.

[premiso]

But I don't want to produce "<B>" in the output, I actually want it to show as "<B>HEY</B>".. just not execute and make the word HEY bold.

 

That is the only way to prevent the webpage from executing it. You will not find another way, other than maybe using <pre> </pre> tags around the output or showing the output as a text file not an html file.

[keeB]

Then you need to make an HTML whitelist and pass the user input in to it.

 

Here's an example written in C#: http://refactormycode.com/codes/333-sanitize-html

[kenrbnsn]

than use html_entities or similar functions, which will replace html tags with their meta character equivalents.

 

<B> with html_entities wud produce <B>

 

but if this is going into a db, remember the mysql_escape_string

 

But I don't want to produce "<B>" in the output, I actually want it to show as "<B>HEY</B>".. just not execute and make the word HEY bold.

 

When  you display something using htmlentities it will display the tags, not execute them;

 

Just try:

<?php
$a = '<b>This is Bold</b>';
echo $a . '<br>';
echo htmlentities($a) . '<br>';
?>

 

Ken

[keeB]

He wats the be protected but also allow people to enter their name in bold if they'd like (like <b>keeb</b>)

 

This can only be done with a whitelist. PHP doesn't have one built in. Refer to my previous link for an example of how to do it.

[premiso]

You could use BBCode to do this. That would protect you, but allow user for customization of the output.

[N-Bomb(Nerd)]

Thanks for all the help, I've figured out how I want to do this now. I've even tested with it a bit already and have something going.

 

Just something I've noticed though, after the user submits the form, in the address bar they're able to see all the information they've just submitted. It there a way to change that show it only shows my base website for example: http://www.Example.com instead of http://www.Example.com/submit.php?action=post (etc.. etc.. etc..)

 

 

[xtopolis]

using a form method of post instead of get

<form action="somepage.php" method="post">

 

and receive it with $_POST['forminputname']...