Jump to content


Validating "Comment" Box

  • Please log in to reply
4 replies to this topic

#1 soccer022483

  • Members
  • Pip
  • Newbie
  • 6 posts

Posted 28 February 2006 - 06:09 PM

I have a comment textarea on a form. To validate it i'm going to use php regular expressions. Anyone know a good reg exp to use? Or what characters should I allow/not allow? The only one I was thinking would cause problems is "<" and ">". That would prevent html and php and others. Your comments/suggestions?

#2 AndyB

  • Staff Alumni
  • Advanced Member
  • 5,465 posts
  • LocationToronto

Posted 28 February 2006 - 07:31 PM

The strip_tags() might do all you need.
Legend has it that reading the manual never killed anyone.
My site

#3 soccer022483

  • Members
  • Pip
  • Newbie
  • 6 posts

Posted 28 February 2006 - 07:40 PM

That's an interesting idea. But should I alert the user that what they entered in invalid, or just strip the tags without them knowing.

#4 XenoPhage

  • Members
  • PipPipPip
  • Advanced Member
  • 99 posts

Posted 28 February 2006 - 08:06 PM

Be careful, however. This strips tags, but does not strip quotes. If you're storing the comment in a database, you could open yourself up to a security problem. I urlencode the strings before storing them in the database, then use the following to display it later (note, I use smarty templates, but this should work for straight php as well) :

// "Fix" the free-form text and assign it to the template
if (get_magic_quotes_gpc()) {
$smarty->assign('impact', stripslashes(urldecode($impact)));
} else {
$smarty->assign('impact', urldecode($impact));

[a href=\"http://blog.godshell.com\" target=\"_blank\"]XenoPhage[/a]
[!--quoteo--][div class=\'quotetop\']QUOTE[/div][div class=\'quotemain\'][!--quotec--]Something mysterious is formed, born in the silent void. Waiting alone and unmoving, it is at once still and yet in constant motion. It is the source of all programs. I do not know its name, so I will call it the Tao of Programming.[/quote]

#5 kenrbnsn

  • Staff Alumni
  • Advanced Member
  • 8,235 posts
  • LocationHillsborough, NJ, USA

Posted 28 February 2006 - 08:23 PM

You don't need to do the urlencode/urldecode routine if you use the [a href=\"http://www.php.net/mysql_real_escape_string\" target=\"_blank\"]mysql_real_escape_string[/a]() function when you put the data into the database.


0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users