Jump to content


Photo

Using $htmlentities correctly


  • Please log in to reply
5 replies to this topic

#1 nickd_101

nickd_101
  • New Members
  • Pip
  • Newbie
  • 8 posts

Posted 05 September 2006 - 07:36 PM

Hi,
I'm attempting to "secure" a form on my website. I want to stop people using XSS and running rogue code in the forms. I'm attempting to use an example i found in a book:

<?php

    $clean = array();
    $html = array();

    /* Filter Input ($name, $comment) */

    $html['name'] = htmlentities($clean['name'], ENT_QUOTES, 'UTF-8');
    $html['comment'] = htmlentities($clean['comment'], ENT_QUOTES, 'UTF-8');

    echo "<p>{$html['name']} writes:<br />";
    echo "<blockquote>{$html['comment']}</blockquote></p>";

    ?>
this works allowing me to stop some html use but not all. Also it just leaves a blank space. Is there anyway to extract the text that the user attempts to post?

#2 ronverdonk

ronverdonk
  • Members
  • PipPipPip
  • Advanced Member
  • 277 posts
  • LocationNetherlands

Posted 05 September 2006 - 09:12 PM

That O'Reilly book has an error. You must fill your $clean array first:

$clean['name'] = $_POST['name'];
$clean['comment'] = $_POST['comment'];

Ronald  8)
RTFM is an almost extinct art form, it should be subsidized.

#3 nickd_101

nickd_101
  • New Members
  • Pip
  • Newbie
  • 8 posts

Posted 05 September 2006 - 09:51 PM

thanks very much for the help,
i'll give it a try soon

#4 Barand

Barand
  • Moderators
  • Sen . ( ile || sei )
  • 18,016 posts

Posted 05 September 2006 - 10:21 PM

or use strip_tags() to remove html code completely

<?php
$str = "This is <B>bold</B>";

echo $str . '<br />';
echo htmlentities($str) . '<br />';
echo strip_tags($str) . '<br />';
 
?>

-->
This is bold
This is <B>bold</B>
This is bold

If you are still using mysql_ functions, STOP! Use mysqli_ or PDO. The longer you leave it the more you will have to rewrite.

Donations gratefully received






moon.png

|baaGrid| easy data tables - and more
|baaChart| easy line, column and pie charts

#5 Ninjakreborn

Ninjakreborn
  • Members
  • PipPipPip
  • Information Technology Specialist
  • 3,922 posts
  • Age:33

Posted 05 September 2006 - 10:23 PM

All that work, all that programming, to get cut down by someone who had just one function to name.  That function held more power thatn 10 lines of code you had up there, that was hillarious.

------

Business Website: http://www.infotechnologist.biz

Personal Website: http://www.joyelpuryear.com

Blog Site: http://www.realmofwriting.com
Services: Web development, application development, mobile development, and custom development. All services listed on my website.


#6 ronverdonk

ronverdonk
  • Members
  • PipPipPip
  • Advanced Member
  • 277 posts
  • LocationNetherlands

Posted 05 September 2006 - 11:01 PM

businessman332211: If it was only that easy to prevent hacking! But it isn't.

Ronald  8)
RTFM is an almost extinct art form, it should be subsidized.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users