[SOLVED] Keeping your site secure from users

[Grego]

I've got textareas for my users to input descriptions etc into. The problem is that when they enter HTML or PHP code, it comes out like that, which means they could potentially access the database and mess around with the page.

 

How can I keep my pages secure when displaying this text. IE: How can I make it actually say on screen: "Hello, I'm <strong>Grego</strong>" rather than "Hello, I'm Grego"?

[chocopi]

You could use striptags:

 

<?php

$text = "Hello <strong>Grego</strong>";

echo $text;

echo strip_tags($text);

?>

[Grego]

Oh that's a handy function

 

Thanks

[chocopi]

However, that will only stop html tags it wont stop the likes of mysql stuff

[Grego]

So if someone put in <? mysql_connect ?>, it would work? (if it has the correct syntax and arguments)

[chocopi]

Well i think they could use stuff like SELECT FROM or DELETE FROM

 

in my code i use this

 

on submit

<?php
$original = $_POST['message'];
$original = strip_tags($original);
$original = htmlentities($original, ENT_QUOTES);
?>

 

and then to get it back

 

<?php
$text = $_POST['original'];
$text = mysql_real_escape_string($text);
$text = stripslashes($text);
?>

 

That might cause some problems, but it should be fine

 

~ Chocopi

[Grego]

Could you just shrink that all down to:

$original=htmlentities(strip_tags($_POST['message']), ENT_QUOTES);

[chocopi]

yea you can, but i just prefer being able to see whats going on step by step, especially as i had to keep swapping stuff around

[Grego]

The strip_tags function is removing all the <? ?> references. So I think I'm safe just to use that.