Jump to content

Archived

This topic is now archived and is closed to further replies.

nickd_101

Using $htmlentities correctly

Recommended Posts

Hi,
I'm attempting to "secure" a form on my website. I want to stop people using XSS and running rogue code in the forms. I'm attempting to use an example i found in a book:

<?php

    $clean = array();
    $html = array();

    /* Filter Input ($name, $comment) */

    $html['name'] = htmlentities($clean['name'], ENT_QUOTES, 'UTF-8');
    $html['comment'] = htmlentities($clean['comment'], ENT_QUOTES, 'UTF-8');

    echo "<p>{$html['name']} writes:<br />";
    echo "<blockquote>{$html['comment']}</blockquote></p>";

    ?>
this works allowing me to stop some html use but not all. Also it just leaves a blank space. Is there anyway to extract the text that the user attempts to post?

Share this post


Link to post
Share on other sites
That O'Reilly book has an error. You must fill your $clean array first:

[code]$clean['name'] = $_POST['name'];
$clean['comment'] = $_POST['comment'];[/code]

Ronald  8)

Share this post


Link to post
Share on other sites
or use strip_tags() to remove html code completely

[code]<?php
$str = "This is <B>bold</B>";

echo $str . '<br />';
echo htmlentities($str) . '<br />';
echo strip_tags($str) . '<br />';

?>[/code]

-->
This is [B]bold[/B]
This is <B>bold</B>
This is bold

Share this post


Link to post
Share on other sites
All that work, all that programming, to get cut down by someone who had just one function to name.  That function held more power thatn 10 lines of code you had up there, that was hillarious.

Share this post


Link to post
Share on other sites
businessman332211: If it was only that easy to prevent hacking! But it isn't.

Ronald  8)

Share this post


Link to post
Share on other sites

×

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.