PHP security

Anon

Hi, I have a classifieds section of my website where users can, of course, post their own ads. I want to know how to make the site secure from people who are knowledgable about what they are doing, and could post a script in one of the text boxes, and eventually cause some minor (or major even) havoc. I would like to be able for users to use html in the description of their products, so I don't want to strip the html characters. I new at this, and quite frankly don't know to what extent this could be a threat to the entire website or my database. any enlightenment would be appreciated. thanks

blue presley

Anon

See the strip_html() function, which will allow you to specify a list of tags that you consider safe. It will prevent users from embedding Javascript, PHP code, et cetera.

It does not, however, validate the input HTML. A user could open a <b> tag and not close it, et cetera.

I think you could write code using the XML parser that would count open tags and let you ensure that they are closed, but I have not tried it.