Delete All Html In Comments

[wickedXxxxlegox]

Hi everyone,

 

 

If you know a way to block comments that have HTML in them, then please PM me. Someone just posted a comment that made the site redirect to goatse.ch... 

 

 

Please help!! 

 

 

P.S. I've already deleted the comment with HTML in it and I have disabled comments.

[PFMaBiSmAd]

When you output content on a site, use htmlentities, with the second parameter set to ENT_QUOTES, so that any HTML/javascript in the content won't have any effect.

 

[Jessica]

There's also things like HTML_Safe if you want to allow some limited HTML.

http://pear.php.net/package/HTML_Safe

[premiso]

What do you have in place already? Show us the form and the php side of things and we can help you getting it secured.

[shlumph]

There's more than one way to skin this cat: htmlspecialchars(), strip_tags(), htmlentities(), etc. would all do the job.  Some people like to do it before inserting into DB, other like to do it while printing the content out.

 

http://www.php.net/strip_tags

http://www.php.net/htmlspecialchars

http://www.php.net/htmlentities

[Christian F.]

htmlspecialchars () is definitely the way to go. htmlentities () is quite unnecessary as it does too much, and strip_slashes () is not recommended because you're just as likely to remove legit content with it.

 

However, this doesn't alleviate the need to Validate the Input you get from the user. The above methods are only Escaping Output, after all. Input validation is a quite wide and potential complex topic, so I recommend reading a few guides on how to do this.

[wickedXxxxlegox]

Okay, here's my commentstream.php code:

 

 

<?php
('includes/db_connect.php');
$result = mysql_query("SELECT * FROM comments ORDER BY id DESC LIMIT 10");
htmlspecialchars ()
while($row = mysql_fetch_array($result))
  {
  echo "<div class='comment'><b><center>".$row['username'] . "</b></center><br><br><center><i>" . $row['comment']."</i></center><>";
  echo "<br/>";
  }
  ?>

 

 

 

 

Error:Parse error: syntax error, unexpected T_WHILE in /home/a1922355/public_html/commentstream.php on line 5

[Christian F.]

I think you need to read the PHP manual on this one, especially the examples.

[phpfreak]

Your call to htmlspecialchars() isn't necessary and shouldn't be there without being used. Check the PHP Manual..

<?php
('includes/db_connect.php');
$result = mysql_query("SELECT * FROM comments ORDER BY id DESC LIMIT 10");
htmlspecialchars ()  // <--- Why is this even here? It's not being called right, not ending with a ; .  
while($row = mysql_fetch_array($result))
 {
 echo "<div class='comment'><b><center>".$row['username'] . "</b></center><br><br><center><i>" . $row['comment']."</i></center><>";
 echo "<br/>";
 }
 ?>

[wickedXxxxlegox]

Hello all...

 

I am working on a website, but I have a comments system and my 'good' ole friend is using HTML redirects...

 

 

So, I am trying to delete all code that shows up in comments. Basically what I want to do is have it so that <b> = [bLOCKED].

 

Here's my code:

<meta http-equiv="Refresh" content="0;url=home.php" />
<?php
include('includes/db_connect.php')

$username = mysql_real_escape_string($username);
$comment = mysql_real_escape_string($comment);

mysql_query("INSERT INTO comments (username, comment) VALUES ('$_POST[username]','$_POST[comment]')");
?>

 

Thanks!

[Zane]

You best bet is to use Regex for this..so I´m moving this to that forum.

[wickedXxxxlegox]

Okay. I'm fine with moving it

[wickedXxxxlegox]

Anyone? =\

[Jessica]

You were already told how to do this without regex.

http://forums.phpfreaks.com/topic/268607-no-html-in-comment-system/#entry1379760

[premiso]

You best bet is to use Regex for this..so I´m moving this to that forum.

 

Moving back, this is not a regex problem at all. As jesi pointed out, it was already answered in his original post.

 

Edit:

Looks like gurus cannot move anymore. Either or, it is not a regex issue.

Edited September 22, 2012 by premiso