N-Bomb(Nerd) Posted April 16, 2009 Share Posted April 16, 2009 I've always made private scripts that only I've used, so I never really worried about security. However, I'm now making a script for a friends website, and I'm trying to figure out how to display user input properly so they aren't able to use some kind of code in the input field and have that executed. How would one go about displaying this input without having malicious code ran? Thanks, Quote Link to comment https://forums.phpfreaks.com/topic/154304-outputting-user-input/ Share on other sites More sharing options...
laffin Posted April 16, 2009 Share Posted April 16, 2009 use validation routines preg_match works good here if u expect an email addy, than use a pattern for email addresses if u expect a name, than use a pattern that just accepts spaces and alpha characters if u expect a number, than .... .... when it comes to free form input boxes, such as comments than use html_entities or similar functions, which will replace html tags with their meta character equivalents. and if yer putting this into a mysql database. remember to use mysql_real_escape_string Quote Link to comment https://forums.phpfreaks.com/topic/154304-outputting-user-input/#findComment-811233 Share on other sites More sharing options...
N-Bomb(Nerd) Posted April 16, 2009 Author Share Posted April 16, 2009 There isn't any way to actually display the input without changing it, and keeping it from executing? For example if someone puts for their name <b>HEY</B>.. I want it to show up as "<B>HEY</B>". Thanks Quote Link to comment https://forums.phpfreaks.com/topic/154304-outputting-user-input/#findComment-811263 Share on other sites More sharing options...
laffin Posted April 16, 2009 Share Posted April 16, 2009 than use html_entities or similar functions, which will replace html tags with their meta character equivalents. <B> with html_entities wud produce <B> but if this is going into a db, remember the mysql_escape_string Quote Link to comment https://forums.phpfreaks.com/topic/154304-outputting-user-input/#findComment-811268 Share on other sites More sharing options...
N-Bomb(Nerd) Posted April 17, 2009 Author Share Posted April 17, 2009 than use html_entities or similar functions, which will replace html tags with their meta character equivalents. <B> with html_entities wud produce <B> but if this is going into a db, remember the mysql_escape_string But I don't want to produce "<B>" in the output, I actually want it to show as "<B>HEY</B>".. just not execute and make the word HEY bold. Quote Link to comment https://forums.phpfreaks.com/topic/154304-outputting-user-input/#findComment-812041 Share on other sites More sharing options...
premiso Posted April 17, 2009 Share Posted April 17, 2009 But I don't want to produce "<B>" in the output, I actually want it to show as "<B>HEY</B>".. just not execute and make the word HEY bold. That is the only way to prevent the webpage from executing it. You will not find another way, other than maybe using <pre> </pre> tags around the output or showing the output as a text file not an html file. Quote Link to comment https://forums.phpfreaks.com/topic/154304-outputting-user-input/#findComment-812044 Share on other sites More sharing options...
keeB Posted April 17, 2009 Share Posted April 17, 2009 Then you need to make an HTML whitelist and pass the user input in to it. Here's an example written in C#: http://refactormycode.com/codes/333-sanitize-html Quote Link to comment https://forums.phpfreaks.com/topic/154304-outputting-user-input/#findComment-812045 Share on other sites More sharing options...
kenrbnsn Posted April 17, 2009 Share Posted April 17, 2009 than use html_entities or similar functions, which will replace html tags with their meta character equivalents. <B> with html_entities wud produce <B> but if this is going into a db, remember the mysql_escape_string But I don't want to produce "<B>" in the output, I actually want it to show as "<B>HEY</B>".. just not execute and make the word HEY bold. When you display something using htmlentities it will display the tags, not execute them; Just try: <?php $a = '<b>This is Bold</b>'; echo $a . '<br>'; echo htmlentities($a) . '<br>'; ?> Ken Quote Link to comment https://forums.phpfreaks.com/topic/154304-outputting-user-input/#findComment-812049 Share on other sites More sharing options...
keeB Posted April 17, 2009 Share Posted April 17, 2009 He wats the be protected but also allow people to enter their name in bold if they'd like (like <b>keeb</b>) This can only be done with a whitelist. PHP doesn't have one built in. Refer to my previous link for an example of how to do it. Quote Link to comment https://forums.phpfreaks.com/topic/154304-outputting-user-input/#findComment-812051 Share on other sites More sharing options...
premiso Posted April 17, 2009 Share Posted April 17, 2009 You could use BBCode to do this. That would protect you, but allow user for customization of the output. Quote Link to comment https://forums.phpfreaks.com/topic/154304-outputting-user-input/#findComment-812055 Share on other sites More sharing options...
N-Bomb(Nerd) Posted April 17, 2009 Author Share Posted April 17, 2009 Thanks for all the help, I've figured out how I want to do this now. I've even tested with it a bit already and have something going. Just something I've noticed though, after the user submits the form, in the address bar they're able to see all the information they've just submitted. It there a way to change that show it only shows my base website for example: http://www.Example.com instead of http://www.Example.com/submit.php?action=post (etc.. etc.. etc..) Quote Link to comment https://forums.phpfreaks.com/topic/154304-outputting-user-input/#findComment-812058 Share on other sites More sharing options...
xtopolis Posted April 17, 2009 Share Posted April 17, 2009 using a form method of post instead of get <form action="somepage.php" method="post"> and receive it with $_POST['forminputname']... Quote Link to comment https://forums.phpfreaks.com/topic/154304-outputting-user-input/#findComment-812063 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.