dotancohen Posted November 6, 2006 Share Posted November 6, 2006 I'm setting up a comments system on a site, with the comments stored in a mysql database. To prevent sql-injection, I run mysql_real_escape_string() on ingoing data. This should be enough to protect the database (tell me if otherwise), but I'd like to prevent people from posting Javascript and other malicious html. Basically, I'd like the comments to be bbcode and text only, using this bbcode parser:http://il.php.net/manual/en/fu....php#69398How can I strip the remaining html, javascript, and whatnot from the posts? If somebody has already invented this wheel, then I'd rather not risk a security breach by trying to reinvent it myself.Thanks in advance.Dotan Cohenhttp://lyricslist.com Quote Link to comment Share on other sites More sharing options...
sinisake Posted November 6, 2006 Share Posted November 6, 2006 http://www.php.net/manual/en/function.strip-tags.php Quote Link to comment Share on other sites More sharing options...
dotancohen Posted November 6, 2006 Author Share Posted November 6, 2006 Thanks. I did see that, but it specifically says that it is easily circumvented with javascript on the tags I leave (and convert to bbcode).Maybe I need a way of removing all tag attributes before I run it through this. Quote Link to comment Share on other sites More sharing options...
ralph4100 Posted November 7, 2006 Share Posted November 7, 2006 htmlentities is SUPPOSED to do what u want but I am having problems with it see my topic hahaha Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.