chantown Posted September 28, 2007 Share Posted September 28, 2007 Hi, I'm making a comment box where users can type messages (and include html tags) When I pass this through my script/MYSQL as text, is there anything special I should do? (Stripslashes/addslashes/convert to html)? I don't want them to use it to SQL inject or XXS me :/ thanks! Quote Link to comment Share on other sites More sharing options...
pocobueno1388 Posted September 28, 2007 Share Posted September 28, 2007 This is a handy class http://htmlpurifier.org/ Quote Link to comment Share on other sites More sharing options...
snowman15 Posted September 28, 2007 Share Posted September 28, 2007 Hey, I'm pretty new at this whole thing but I think I may see where your coming from, IF you are displaying the data they entered on a webpage, the embeded new line ( \n ) that the user has entered in the text (comment) box will not be displayed by your html. Instead, they must use line breaks (<br /> ) tags. To do this, you must take your string and use the nl2br() function (new line to break) aka text to html when using strings. So, once the person uses the form and you receive the data with a $_POST method or something, take that variable and use this script: nl2br($string_variable) to take the new lines and create <br /> instead. That way if they made new lines or something it will turn out a lot better. also, (and im not a pro at this part) but from what i understand, If you use this code: <?php if (magic_quotes_gpc()) stripslashes($string); else addslashes($string) ?> This will add or take away slashes if needed depending on if "magic quotes" are turned on, on your server. This means if your server automatically adds slashes, it will take them away in the string. If not, add slashes so it will display correctly. So, The 2 things i would do would be nl2br() and the "magic quotes" line of code to make sure that everything is right with your string. As far as sql injections go, I have no idea. Good luck! Quote Link to comment Share on other sites More sharing options...
alpha2zee Posted November 7, 2007 Share Posted November 7, 2007 For filtering input, one may also think of using <a href="http://www.bioinformatics.org/phplabware/internal_utilities/htmLawed/index.php">htmLawed</a>, a highly customizable, 45 kb, single file, non-OOP PHP script to filter and purify HTML. Besides restricting tags/elements, attributes and URL protocols as per one's specification, and balancing HTML tags and ensuring valid tag nesting/well-formedness, it also has good anti-XSS and anti-spam measures. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.