Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 8 of 8
  1. #1
    New to the CF scene
    Join Date
    Dec 2006
    Posts
    6
    Thanks
    0
    Thanked 0 Times in 0 Posts

    How would I go about disabling html tags?

    K lemme explain more in depth,

    edit:
    what i rly need is like a tag or something in html that will replace like < to &lt;

    you see I'm making a comment box, it works, sends information perfectly, working on the php now (dynamic includer ) and well it just hit me... what if someone who knows a little bit of html and\or anyother web scripting languages? they could do some screwing (any is too much, even though it wouldn't be too much damage with just 1 page, but anyway...) how would i prevent this from happening, so my first idea.. if I stop html from actually working (for example, on www.pastebin.ca you could paste html tags without it triggering anything..... I want the same basic idea) I know I probably didn't make much sence, I hope someone gets me

    I just want to prevent (but not disallow posting) html.
    Again what I mean is I want it to show... just not end up as part of my website source, and the method I'm using to include a comment is <?php include("comments/".$_POST['user'].".txt"); ?> and I don't want it to mess wif my site source... any help is appreciated, thanks in advance!
    Last edited by Inoob; 12-15-2006 at 03:28 PM.

  • #2
    Regular Coder
    Join Date
    Feb 2006
    Location
    The Netherlands
    Posts
    106
    Thanks
    0
    Thanked 0 Times in 0 Posts
    The PHP function htmlentities.
    Yeah that.

  • #3
    Master Coder Excavator's Avatar
    Join Date
    Dec 2006
    Location
    Alaska
    Posts
    9,744
    Thanks
    22
    Thanked 1,838 Times in 1,822 Posts
    Hello Inoob,


    Code:
    &lt;
    can take the place of <
    Validate often DURING development - Use it like a splelchecker | Debug during Development |Write it for FireFox, ignore IE
    Use the right DocType | Validate your markup | Validate your CSS | Why validating is good | Why tables are bad

  • #4
    Senior Coder whizard's Avatar
    Join Date
    Jan 2005
    Location
    Philadelphia, PA, USA
    Posts
    1,662
    Thanks
    14
    Thanked 76 Times in 76 Posts
    Quote Originally Posted by Inoob
    Again what I mean is I want it to show... just not end up as part of my website source
    Thats not possible.

    As Vin0rz said, you can use the PHP htmlentities function to change <,>, and so on to &lt;, &gt; and so on.

    However, then they will show up that way in the code. You can't have it both ways. In order for HTML to 'show', it has to be written in the source code.

    You could use the PHP function strip_tags() to allow certain tags, like <p> and <br />, and remove all the others, like <script>....

    HTH, Dan
    PHP Tip: If you want to use short tags (<? or <?=$var) then make sure short_open_tag is set to "1". It really helps.

    Don't forget to save everyone time and mark your thread as Resolved :)

    "Also note that it is your responsibility to die() if necessary."

    DON'T USE THE MYSQL_ EXTENSION

  • #5
    New to the CF scene
    Join Date
    Dec 2006
    Posts
    6
    Thanks
    0
    Thanked 0 Times in 0 Posts

    ok.. I still have an issue

    Code:
        <?php
          $whatilike = array("\'",'\"');
          $whatineed = array(''','"');
          ?><b><?php
            echo str_replace($whatilike,$whatineed,htmlspecialchars($_POST['comment']));
          ?></b><?php
        ?>
    sorry about the php but it goes along with the previous post of mine :$

    You see the $whatilike[0] will work, but $whatilike[1] // \" doesn't... the htmlspecialchars() changes all the < > ' " etc into ascii (or shud) but ' and " get prefixed with the ignore character (\) how would I in the final output change \' and \" to just ' and "?

    (without doing a str_replace() to just simply remove it...)

  • #6
    Senior Coder whizard's Avatar
    Join Date
    Jan 2005
    Location
    Philadelphia, PA, USA
    Posts
    1,662
    Thanks
    14
    Thanked 76 Times in 76 Posts
    Whats wrong with doing a str_replace to 'just remove them'?
    PHP Tip: If you want to use short tags (<? or <?=$var) then make sure short_open_tag is set to "1". It really helps.

    Don't forget to save everyone time and mark your thread as Resolved :)

    "Also note that it is your responsibility to die() if necessary."

    DON'T USE THE MYSQL_ EXTENSION

  • #7
    Senior Coder koyama's Avatar
    Join Date
    Dec 2006
    Location
    Copenhagen, Denmark
    Posts
    1,246
    Thanks
    1
    Thanked 5 Times in 5 Posts
    ... adding to whizard

    It is dangerous to just remove all backslashes because this does harm when you are posting backslashes...

    Inoob: The backslashes are there because by default php prepares incoming data (e.g. $_POST) for database queries. You also get the backslash prefixed: \\

    What you want is
    ... stripslashes($_POST['comment'])
    which does exactly what you want...

  • #8
    Senior Coder whizard's Avatar
    Join Date
    Jan 2005
    Location
    Philadelphia, PA, USA
    Posts
    1,662
    Thanks
    14
    Thanked 76 Times in 76 Posts
    Right.. good point

    Dan
    PHP Tip: If you want to use short tags (<? or <?=$var) then make sure short_open_tag is set to "1". It really helps.

    Don't forget to save everyone time and mark your thread as Resolved :)

    "Also note that it is your responsibility to die() if necessary."

    DON'T USE THE MYSQL_ EXTENSION


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •