Remove HTML tags?

[xProteuSx]

I have written a simple form that stores comments in a database, and displays them on a website where relevant. As such, I have a simple input box for the comment. I was wondering if there is a function or script that will automatically detect and remove HTML tags, so that only text is being saved to the database, and not HTML.

 

As it stands if someone was to put this in the comments section and submit:

 

"I have a cool <a href="http://www.dirtyporn.com">website</a> to share."

 

It would actually display:

 

"I have a cool website to share."

 

And the link would be live. Oh noes, right?

[xProteuSx]

I think I found something: strip_tags(). Will give that a go.

[Christian F.]

The proper way in most circumstances, is not to strip the tags, but to escape the output. That way all characters that ha a special meaning to HTML would be transformed, so that they display as actual text instead.

For HTML output escaping you should use the htmlspecialchars () function.

 

strip_tags () has the problem of not only removing valid HTML tags, but also everything that looks like it might be HTML. So if anyone started their post with "<3" everything would be removed. Or at least everything up to, and including, the first ">".

[xProteuSx]

Thanks Christian. I have decided to use strip_tags() because I actually want all of the nonsense between the < and > characters gone. I understand that this poses a problem if the user uses one of those within the text, but unless there is a way to determine whether these characters are being used for HTML purposes or not, its something I will have to risk. I've made this comments script pretty public, and I expect there to be a point where I will not be able to administer and regulate all comments myself, and someone might start to post spam using this form -- big no-no for me.

 

Cheers.