Clintonio Posted July 22, 2007 Share Posted July 22, 2007 I'm making a comment system and I need to somehow stop users being able to mess up my page with PHP or HTML within their comment. I'm thinking of some complicated string replacement system when they input (Or output) to remove any kind of HTML. I was wondering if there was a better solution? Quote Link to comment Share on other sites More sharing options...
redarrow Posted July 22, 2007 Share Posted July 22, 2007 use str_replace or eregi or setup a baneed words function. Quote Link to comment Share on other sites More sharing options...
Hypnos Posted July 22, 2007 Share Posted July 22, 2007 Javascript injection can be very dangerous. If they put in PHP code, it should not run (unless your'e including the comments). But, what you're talking about is a type of Cross Site Scripting (XSS). This is how you stop it: http://shiflett.org/blog/2007/may/character-encoding-and-xss Quote Link to comment Share on other sites More sharing options...
Clintonio Posted July 22, 2007 Author Share Posted July 22, 2007 Oh, I managed to solved it without the use og srt_replace. strip_tags() and htmlspecialchars() are the commands I was looking for Thanks anyway^^ Oh, the Javascript thing... I'm outputting using this: $Comment = str_replace("\n", "<br />", htmlspecialchars(strip_tags($rowc[Comment])), ENT_QUOTES); Is this safe against the injection? Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.