Prevent html from "processing" from user submitted field?

[JohnnyDoomo]

I'm a noobie at php, so this is probably very simple, but I have a field that allows users to submit a title for a page.

 

Today I discovered someone submitted a title that had "<head><title>" in it, and it broke the site.

 

If my variable is called $_POST['title'] can someone please show me how I would either keep "<head><title>" in the title, but not process it, or remove certain html tags that would cause trouble?

 

If you could give me the actual code I need, that would be very helpful, as a lot of times things mentioned on how to do it is over my head at the moment.

 

 

Thanks for any help you can provide me with.

[requinix]

What you're demonstrating is called XSS and the problem is worse than people just "breaking the site".

 

Write yourself a function that calls htmlentities or htmlspecialchars with the correct set of arguments for your page: passing ENT_QUOTES and whatever character encoding your pages use. Like

function htmlescape($string) {
    return htmlentities($string, ENT_QUOTES, "UTF-8");
}

Then use that every time you output arbitrary user-provided information, like

<?=htmlescape($_POST["title"])?>

If you're wondering about what to do with your database, don't escape the data when it goes in. Only when you're about to display it on your page.

But make sure you're not putting $_POST data into your queries directly because there's a SQL version of the problem you're having and it can be even worse than this XSS thing.