Clintonio Posted July 22, 2007 Share Posted July 22, 2007 I'm making a comment system and I need to somehow stop users being able to mess up my page with PHP or HTML within their comment. I'm thinking of some complicated string replacement system when they input (Or output) to remove any kind of HTML. I was wondering if there was a better solution? Link to comment https://forums.phpfreaks.com/topic/61226-output-without-html/ Share on other sites More sharing options...
redarrow Posted July 22, 2007 Share Posted July 22, 2007 use str_replace or eregi or setup a baneed words function. Link to comment https://forums.phpfreaks.com/topic/61226-output-without-html/#findComment-304616 Share on other sites More sharing options...
Hypnos Posted July 22, 2007 Share Posted July 22, 2007 Javascript injection can be very dangerous. If they put in PHP code, it should not run (unless your'e including the comments). But, what you're talking about is a type of Cross Site Scripting (XSS). This is how you stop it: http://shiflett.org/blog/2007/may/character-encoding-and-xss Link to comment https://forums.phpfreaks.com/topic/61226-output-without-html/#findComment-304626 Share on other sites More sharing options...
Clintonio Posted July 22, 2007 Author Share Posted July 22, 2007 Oh, I managed to solved it without the use og srt_replace. strip_tags() and htmlspecialchars() are the commands I was looking for Thanks anyway^^ Oh, the Javascript thing... I'm outputting using this: $Comment = str_replace("\n", "<br />", htmlspecialchars(strip_tags($rowc[Comment])), ENT_QUOTES); Is this safe against the injection? Link to comment https://forums.phpfreaks.com/topic/61226-output-without-html/#findComment-304630 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.