Jump to content

Recommended Posts

I've always made private scripts that only I've used, so I never really worried about security. However, I'm now making a script for a friends website, and I'm trying to figure out how to display user input properly so they aren't able to use some kind of code in the input field and have that executed.

 

How would one go about displaying this input without having malicious code ran?

 

Thanks,

 

Link to comment
https://forums.phpfreaks.com/topic/154304-outputting-user-input/
Share on other sites

use validation routines

preg_match works good here

 

if u expect an email addy, than use a pattern for email addresses

if u expect a name, than use a pattern that just accepts spaces and alpha characters

if u expect a number, than ....

....

 

when it comes to free form input boxes, such as comments

 

than use html_entities or similar functions, which will replace html tags with their meta character equivalents.

 

and if yer putting this into a mysql database.

remember to use mysql_real_escape_string

 

than use html_entities or similar functions, which will replace html tags with their meta character equivalents.

 

<B> with html_entities wud produce <B>

 

but if this is going into a db, remember the mysql_escape_string

 

But I don't want to produce "<B>" in the output, I actually want it to show as "<B>HEY</B>".. just not execute and make the word HEY bold.

But I don't want to produce "<B>" in the output, I actually want it to show as "<B>HEY</B>".. just not execute and make the word HEY bold.

 

That is the only way to prevent the webpage from executing it. You will not find another way, other than maybe using <pre> </pre> tags around the output or showing the output as a text file not an html file.

than use html_entities or similar functions, which will replace html tags with their meta character equivalents.

 

<B> with html_entities wud produce <B>

 

but if this is going into a db, remember the mysql_escape_string

 

But I don't want to produce "<B>" in the output, I actually want it to show as "<B>HEY</B>".. just not execute and make the word HEY bold.

 

When  you display something using htmlentities it will display the tags, not execute them;

 

Just try:

<?php
$a = '<b>This is Bold</b>';
echo $a . '<br>';
echo htmlentities($a) . '<br>';
?>

 

Ken

Thanks for all the help, I've figured out how I want to do this now. I've even tested with it a bit already and have something going.

 

Just something I've noticed though, after the user submits the form, in the address bar they're able to see all the information they've just submitted. It there a way to change that show it only shows my base website for example: http://www.Example.com instead of http://www.Example.com/submit.php?action=post (etc.. etc.. etc..)

 

 

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.