Inserting And Striping Html From User Comments

[freemancomputer]

I have a simple user bio section on my web site. As of right now everything works fine except that the bios are not formatted and I want to remove any html that the user adds. I know that strp_tags is used to remove html but wasn't sure if I could used that along side adding my own html. The html that I am looking to add is <P> and <br> to properly format them.

 

 

this is the form that I have that

 

<form id="update_profile">
<textarea name="BIO" cols="50" rows="6"><?php echo $bio; ?></textarea><br>
<span class="rulemain">Your Favorite drink: </span><br>
<input type="text" name="FAV_DRINK" value="<?php echo $fav_drink; ?>" > <br>
<input type="radio" name="SHARE_EMAIL" value="1" > <span class="rulesub">Share my email.</span><br>
<input type="hidden" name="USER_ID" value="<?php echo $name; ?>">
<input type="submit" value="Update Profile">
</form>

 

Here is what the update string looks like

 

<?php
include"scripts/connect.php" ;
mysql_connect('localhost',$username,$password);
@mysql_select_db($database) or die( "Unable to select database");
$bio= mysql_real_escape_string($_POST['BIO']);
$user = mysql_real_escape_string($_POST['USER_ID']);
$drink= mysql_real_escape_string($_POST['FAV_DRINK']);
$share_email= mysql_real_escape_string($_POST['SHARE_EMAIL]);

$error = '';
$userquery = mysql_query("SELECT * FROM user WHERE (username='$user')");
$sql = ("UPDATE user SET bio='$bio', drink='$drink', show_email='$share_email' WHERE username='$user'") or die (mysql_error());
$query = mysql_query($sql);

[Psycho]

You don't say how you want to apply the <p> and <br> tags in the output. If it is around the content then there is no problem. If it is inside the content that is a different matter. It is simple enough to add line breaks using nl2br(), but if you want <p> tags inside you many have to build some functionality.

 

But, here's my position. There's absolutely no reason you have to use strip_tags() - especially for a comment. You should be very, very sure about removing any part of a user's input without them knowing. It could result in problems. The important thing is to ensure that the content is not treated as HTML code. For example if I add <b>bold</b> into my post here it doesn't appear bold.

 

So, my opinioin is that the only data transformation you should do before saving the content is to trim it. Then when outputtng the data use htmlspecialcharacters() or htmlentities() to prevent the content from being interpreted as HTML. Plus, you should us nl2br() to add any line breaks.

[Christian F.]

I too recommend the use of htmlspecialchars () to prevent HTML injections, and if you need to add HTML newline characters using nl2br () (or better nl2para (), found in the comments) afterwards is the proper course of action.

 

One thing Psycho didn't mention about strip_tags () is that it doesn't validate HTML, and thus may end up removing what is otherwise legal content. So if someone were to write "I <3 cats." followed by a 3000-word essay one why, the only part that would escape strip_tags () is "I ".

I doubt that user would be very happy, when they realized your script silently deleted their 3000 word essay with no way of getting it back.

[Psycho]

One thing Psycho didn't mention about strip_tags () is that it doesn't validate HTML, and thus may end up removing what is otherwise legal content.

 

Yes I did mention that:

You should be very, very sure about removing any part of a user's input without them knowing. It could result in problems

 

There could be several examples where the result would not be as expected. The reason I do not always give a specific example is that an OP might think that the example given is the only problematic one and might dismiss it as not being relevant. If someone would like specifics they can ask and I will be happy to provide more details.

[Christian F.]

Ah, misunderstood your intent a bit then. Thought you were only talking about removing "proper HTML", that the user wanted to have shown in the message.