1

I have a text form field that users my enter notes into. I then use a PHP/MySQL database to store these entries. How do I prevent somebody from entering HTML into the text field?

Improve this question

4 Answers 4

Reset to default
6

You're probably looking for strip_tags

Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

Because strip_tags() does not actually validate the HTML, partial, or broken tags can result in the removal of more text/data than expected.
@RobertPitt: But that's better than parsing HTML with RegEx as anyone that's been on SO a bit can tell you. ;-)
I never said anything about parsing with Regex, I was just pointing out a small issue with solely relying on strip_tags.
5

Dont do anything to the text, just store it as they enter it.

Reason being is that maybe you was to add content that looks like html but actually isn't. for example

I was updating the site erlier and i had to add a few < br > tags to let the content move down a touch.

What you shuold be doing is storing the content as it is within the database making sure that you escape the data for SQL injection purposes, and then upon output to the browser you should escape using htmlentites the content like so:

<div id="notes">
    <?php echo htmlentities($row['note']) ?>
</div>

this way the html tags does not take any effect on the actual DOM as there escaped, the desired output within the DOM should look like:

I was updating the site erlier and i had to add a few &lt; br &gt; tags to let the content move down a touch.

and the user would actually see the <br> as plain text

Hope this helps.

Improve this answer

Comments

0

if you're planning to also store the data in your database, you need to clean the input using mysql_real_escape_string() to prevent SQL injection (http://en.wikipedia.org/wiki/SQL_injection)

Improve this answer

Comments

0

1. Filter input

First filter your input

Input filtering is one of the cornerstones of any application security, independently of the language or environment.

2. Use PDO

Next use PDO prepared statements to make your SQL queries safe.

A prepared statement is a precompiled SQL statement that can be executed multiple times by sending just the data to the server. It has the added advantage of automatically making the data used in the placeholders safe from SQL injection attacks.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.