View Full Version : How do you print a literal string with HTML?

03-20-2009, 07:14 PM
I'm trying to make a small user-input feature (think like a forum, but no threads or topics, just a list of user posts) and I want to prevent the use of HTML, JavaScript, PHP, etc in the input.

I plan to have it go from a text input box through a PHP script to put it in MySQL, then have it display on the page. If I just do <?php echo $post['message']; ?>, code within the message is still valid.

It's kind of a simple problem but when I search "html literal string" in Google, I get a lot of .html pages about literal strings which doesn't help me much. :rolleyes:

03-20-2009, 07:25 PM
Before it goes into the database do a strip_tags on the input, then run it through htmlentities() and then finally make sure you are escaping special characters by using mysql_real_escape_string if you are using mysql.

You could also use something like this: http://chxo.com/chxo-scripts/safe_html/

03-21-2009, 06:25 AM
Much appreciated, thanks.