[SOLVED] Check for code

[craygo]

I have a site which users can write reviews for products. I want to make sure they don't use malicious code in the reviews like <script> and things like that.

 

How would I go about coding this??

 

Just create an array of words to look for and deny the insert??

 

Any help and code is appreciated.

 

Ray

[revraz]

You want to block all HTML or just certain tags?

[craygo]

just certain tags, I would still like to let them use <br> for line break and <b>, <u>. things like that.

[PHP Monkeh]

I'd stop them from using any html code in your input forms, and just allow them to use bbcode and parse it that way (i.e. replacing all with <b> when you're outputting what they've written).

 

I just think it would be a lot safer that way.

[craygo]

what would be the easiest way to check for code. I would just like to check for any code and if found deny the insert.

[PHP Monkeh]

Bah, my previous post didn't work the way I intended and I didn't check it

 

(i.e. placing all [b] with <b> when you're outputting what they've written).

 

I'm not sure how you could deny all code except < b > etc that's the problem.  Hopefully someone else can (I'm hopeless with regex)

[craygo]

lol me too, never understood regex 

[resago]

make an array of bad tags

use preg_replace

if $count>0 then it found a baddy.

 

[KrisNz]

strip_tags lets you pass a string of allowable tags and then it will only strip ones you don't want. You could then compare the original post to the stripped one and if they were different you'd know the user had submitted dodgy content. Obviously that won't help with the seven words you cant say on tv....