ohdang888 Posted March 5, 2008 Share Posted March 5, 2008 there is a text area. when they submit it, it goes into a database. But how do i disable html when it is displayed? Quote Link to comment Share on other sites More sharing options...
cooldude832 Posted March 5, 2008 Share Posted March 5, 2008 strip_tags() Quote Link to comment Share on other sites More sharing options...
ohdang888 Posted March 5, 2008 Author Share Posted March 5, 2008 thanks! So would i only use that when i display it, or would it be better to do that before i even insert it into my database?? Quote Link to comment Share on other sites More sharing options...
cooldude832 Posted March 5, 2008 Share Posted March 5, 2008 Do it before going into database runs once Do it after going into database runs a lot more times You make the decision Quote Link to comment Share on other sites More sharing options...
ohdang888 Posted March 5, 2008 Author Share Posted March 5, 2008 haha. alright thanks! Quote Link to comment Share on other sites More sharing options...
drewbee Posted March 5, 2008 Share Posted March 5, 2008 Just a FYI -- It is usually good coding practice to preserve what the user entered into the database exactly, then format it coming out. Quote Link to comment Share on other sites More sharing options...
roopurt18 Posted March 5, 2008 Share Posted March 5, 2008 Do it before going into database runs once Do it after going into database runs a lot more times You make the decision So what happens when you only do this when inserting into the database and I bypass your security elsewhere. Then I can insert whatever I want directly into the database and you are not cleaning it when it is displayed. Quote Link to comment Share on other sites More sharing options...
ohdang888 Posted March 6, 2008 Author Share Posted March 6, 2008 well... if i clean it up BEFORE it ever goes into the database, won't that solve the security issue? Quote Link to comment Share on other sites More sharing options...
darkfreaks Posted March 6, 2008 Share Posted March 6, 2008 might want to use some sanitation before it goes into the database check out trim,mysql_real_escape_string,strip_tags,htmlspecialchars Quote Link to comment Share on other sites More sharing options...
ohdang888 Posted March 6, 2008 Author Share Posted March 6, 2008 ok so i'm doing this (code below) and its not working. "Test" is coming up as font size 6 <font size=1> <? $text = '<font size= 6>Test'; $text1 = strip_tags($text); echo $text1; ?> Quote Link to comment Share on other sites More sharing options...
darkfreaks Posted March 6, 2008 Share Posted March 6, 2008 <?php $text1 = strip_tags($text,'<font size=>');?> Quote Link to comment Share on other sites More sharing options...
ohdang888 Posted March 6, 2008 Author Share Posted March 6, 2008 ok this must be something with the way my php is set up. according to http://us3.php.net/manual/en/function.strip-tags.php when i put in <?php $text = '<p>Test paragraph.</p><!-- Comment --> <a href="#fragment">Other text</a>'; echo strip_tags($text); echo "\n"; // Allow <p> and <a> echo strip_tags($text, '<p><a>'); ?> i should get: Test paragraph. Other text <p>Test paragraph.</p> <a href="#fragment">Other text</a> But instead it doesn't.. it double spaces the "test paragraph" and then puts "other text" in a link. Quote Link to comment Share on other sites More sharing options...
darkfreaks Posted March 6, 2008 Share Posted March 6, 2008 echo strip_tags($text, '<p><a></a>'); Quote Link to comment Share on other sites More sharing options...
ohdang888 Posted March 6, 2008 Author Share Posted March 6, 2008 ok. thanks. my fault . BUT, i want it to display the code, just not activate it (does that make sense?)... what do i need to add on this? Quote Link to comment Share on other sites More sharing options...
roopurt18 Posted March 6, 2008 Share Posted March 6, 2008 well... if i clean it up BEFORE it ever goes into the database, won't that solve the security issue? No. If your site is only cleaning the data before it goes into the database and I can perform MySQL injection on your site, then I can place unclean data directly into your database. Then when you display my unclean data your code will not clean it before display because you've made the assumption that everything in your database is clean, which it no longer is. Quote Link to comment Share on other sites More sharing options...
GingerRobot Posted March 6, 2008 Share Posted March 6, 2008 BUT, i want it to display the code, just not activate it (does that make sense?)... what do i need to add on this? In other words, you don't want the html tags stripped out completely, you just don't want them to actually be interpreted by the browser? (e.g. you want the bold tags to show up, but not make the text bold?) If so: htmlentities And it's definitely better to do this on display than on input. Aside from aforementioned security issues, what happens if you suddenly decide you DO want the some of the HTML to be used? Quote Link to comment Share on other sites More sharing options...
drewbee Posted March 6, 2008 Share Posted March 6, 2008 Roopurt is correct. This is why I mentioned earlier that it is generally better practice to leave the entered data as it is, and clean it coming out. When I put anything in the database, it is put in exactly as the user entered. When coming out is when it is cleaned. Take this scenario for insance. Lets say you want to htmlspecialchars all entered data. This way HTML will not displayed on your site. Lets say you have a database field called 'title' with a max length of 20 characters. Your user enteres "My Title <truestory>" = 20 characters. However, when you put it into the database you htmlspecialchars it, converting the < and > to its unicode equivilent. These means that what goes into the database is "My Title <truestory>" = 26 Characters When you go to retrieve it, and display it on your site you will end up with "My Title <truestor" Always parse coming out. While you can parse going in, I wouldn't recomend it. Quote Link to comment Share on other sites More sharing options...
roopurt18 Posted March 6, 2008 Share Posted March 6, 2008 ^ In addition, there is also the case of reporting. If you are pulling the data for display in a container that does not render HTML, such as a reporting application, then you are going to wind up with all sorts of junk if you called something like htmlentities() before storing in the database. Or say you later want to write a cron job that will search your database for attempts by users to insert malicious code. Now you will have to search through all sorts of < or > instead of simple < or >. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.