Daney11 Posted February 15, 2008 Share Posted February 15, 2008 Hey guys. Im using forms to enter information into my website and im doing all the security measures needed. However when i enter <script type="text/javascript">window.location = "http://www.google.com/"</script> To say <input class="forminput" name="news_title" type="text" value="<?php if (isset($_POST['news_title'])) echo $_POST['news_title']; ?>" /> I get a broken field when the error comes up Error im using is if (eregi ('^[[:alpha:][:digit:][:blank:]-]{2,60}$', stripslashes(trim($_POST['news_title'])))) { $news_title = escape_data($_POST['news_title']); } else { $news_title = FALSE; $errors[] = 'Please Enter A News Title'; } The break of the form field looks like FORM[ <script type=\ ]window.location = \"http://www.google.com/\"" /> The [ ] represents the form area. So its breaking it up. Any ideas on how to solve this? Image Quote Link to comment Share on other sites More sharing options...
marcus Posted February 15, 2008 Share Posted February 15, 2008 What's the problem, html isn't working? Quote Link to comment Share on other sites More sharing options...
Daney11 Posted February 15, 2008 Author Share Posted February 15, 2008 No, the enter of the javascript into a form breaks the form up as you can see in the image. It wont go into my database thankfully but when a user enters javascript into my forms i just want the form to be hole and no break. Quote Link to comment Share on other sites More sharing options...
marcus Posted February 15, 2008 Share Posted February 15, 2008 Make it a textarea, or use htmlentities to prevent them from closing the input box Quote Link to comment Share on other sites More sharing options...
Daney11 Posted February 15, 2008 Author Share Posted February 15, 2008 Is there not another way to prevent them closing the input box? Quote Link to comment Share on other sites More sharing options...
marcus Posted February 15, 2008 Share Posted February 15, 2008 or use htmlentities to prevent them from closing the input box and why would you want people to enter javascript as a news title, isn't news for reading; not redirecting? Quote Link to comment Share on other sites More sharing options...
Daney11 Posted February 15, 2008 Author Share Posted February 15, 2008 People would enter anything in input boxes to try and use SQL injection against your website. Im trying to iron out ALL bugs so that they cannot SQL inject my website. Quote Link to comment Share on other sites More sharing options...
marcus Posted February 15, 2008 Share Posted February 15, 2008 should have said that mysql_real_escape_string(); strip_tags(); htmlentities(); Quote Link to comment Share on other sites More sharing options...
Daney11 Posted February 15, 2008 Author Share Posted February 15, 2008 my form is now <input class="forminput" name="news_title" type="text" value="<?php if (isset($_POST['news_title'])) echo htmlentities($_POST['news_title']); ?>" /> and it works fine. thanks Quote Link to comment Share on other sites More sharing options...
marcus Posted February 15, 2008 Share Posted February 15, 2008 no problem Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.