can I NOT let people insert HTML code?

ovisopa

Hello ppl,
today I recive an messaje from a surfer of my site www.sibiul.ro
he told me about a bug in my site that I didn't think about it 🙁 .
I have there an ad sistem (I don't know if that's the wright word), the peoplec can post a message if they seel something or need to buy something, now I think you understand.

And if somebody insert an html code in the description textbox he can alter my page when it will be displaied. My question is how can I block this, or how can I not output the description text as an html code?

10x and see ya

ahundiak

You cannot stop them from entering html but you can use strip_tags() to make it go away.
http://www.php.net/manual/en/function.strip-tags.php

Thora_Fan

htmlentities() might work as well, it converts actual HTML tags to their non-threatening equivilants.

http://www.php.net/manual/en/function.htmlentities.php

PhreakShow

Where would you put the function than??

ahundiak

Consider the case where an unfriendly user enters something like
<scriptx>for(;😉 alertx('Gotcha!')</scriptx>

(I typed scriptx instead of script and alertx instead of alert just to make sure there would be no problems).

If your script does this
$data = $_POST['data'];
echo $data; // This is bad

Then the browser would present an endless seris of alert boxes.

Let's assume that the data field should never have html tags in it. Maybe its for a person's name. In this case, we can use strip_tags to make the scripts tags go away forever.
$data = strip_tags($_POST['data']);
echo $data // This is safe

But lets say that your web site is about scripting and you want people to be able to enter tags without that tags being executed. In this case, use htmlspecialchars() or htmlentities() to convert the < and > to $lt ; and &gt ;. This prevents the browser from actiually executing the script.
$data = $_POST['data'];
echo htmlspecialchars($data); // This is safe