validating textarea

roshanjameer

hi,

can anybody please tell me how to avoid the user from entering any html code like '<','>', any other malicious characters in textarea using php.

thanks
mrjameer

bogu

strip_tags

tommmmm

Would htmlentities() do alright too.

Which would be preferable?

Xenon_Design

If your into a better way (imo) you can use ereg_replace using regex.

Only downsde is that u need to know reg ex...but its not too hard to learn 🙂

if you only wan the user to enter alphanumberic characters (A-Z 0-9) and - _ then you can use this script below

$variable = "<iframe>hax time</iframe>";
//I will put the ereg_replace in a function for easy use
function ereg_html_tags($var){
ereg_replace("[^A-Za-z0-9\_\-\~\:\.\@]", "", $var);
return $var;
}
$new_variable = ereg_html_tags($variable);

That will remove all characters but A-Z a-z 0-9 _ - ~ : . @ so theres no way for HTML tagging or SQL injection.

sfullman

If you're concerned about user entering server-side executable code, you should obviously not do any type of eval() on that text and you'll be fine; even if the user enters something like:

<?php rm -r -f \*; ?>

It's not going to actually be executed.

If you're trying to prevent the user from using ANY HTML, you might consider they still want to use some HTML coding to talk "about" HTML coding (like I'm doing right now) - so htmlentities would be just fine.

Striptags() works great and you can allow for some tags to remain - see the php docs on this. However if you're having to do striptags when the user types in a table, you might have an unhappy user if you don't clearly say layout html like tables and divs is not allowed.

Just a few thoughts on this.

Samuel