Using $htmlentities correctly

[nickd_101]

Hi,
I'm attempting to "secure" a form on my website. I want to stop people using XSS and running rogue code in the forms. I'm attempting to use an example i found in a book:

<?php

    $clean = array();
    $html = array();

    /* Filter Input ($name, $comment) */

    $html['name'] = htmlentities($clean['name'], ENT_QUOTES, 'UTF-8');
    $html['comment'] = htmlentities($clean['comment'], ENT_QUOTES, 'UTF-8');

    echo "<p>{$html['name']} writes:<br />";
    echo "<blockquote>{$html['comment']}</blockquote></p>";

    ?>
this works allowing me to stop some html use but not all. Also it just leaves a blank space. Is there anyway to extract the text that the user attempts to post?

[ronverdonk]

That O'Reilly book has an error. You must fill your $clean array first:

[code]$clean['name'] = $_POST['name'];
$clean['comment'] = $_POST['comment'];[/code]

Ronald  8)

[nickd_101]

thanks very much for the help,
i'll give it a try soon

[Barand]

or use strip_tags() to remove html code completely

[code]<?php
$str = "This is <B>bold</B>";

echo $str . '<br />';
echo htmlentities($str) . '<br />';
echo strip_tags($str) . '<br />';

?>[/code]

-->
This is [B]bold[/B]
This is <B>bold</B>
This is bold

[Ninjakreborn]

All that work, all that programming, to get cut down by someone who had just one function to name.  That function held more power thatn 10 lines of code you had up there, that was hillarious.

[ronverdonk]

businessman332211: If it was only that easy to prevent hacking! But it isn't.

Ronald  8)