View Full Version : How do I keep HTML code in a textarea when submitted?

02-12-2010, 06:05 PM

I have a textarea box for submission in a form and I want to be
able to allow the html code and php code to be submitted
- but render it harmless.

Actually exactly the same way that this forum works.

Usually I process all my form submitted variables ( inc textareas )
through the following function:

function safe_sql( $value )
$value = strip_tags(trim($value));

// Stripslashes
if (function_exists('get_magic_quotes_gpc') && get_magic_quotes_gpc()) {
$value = stripslashes($value);
// Quote if not integer
if (!is_numeric($value)) {
$value = mysql_real_escape_string($value);
return $value;
} // End of Function

That is fine for normal use as it protects me from injection attacks.

But it is stripping out all the html where as I want
it to stay in but be rendered harmless.

Does anyone know what I should be using to allow this to happen ?



02-12-2010, 06:10 PM
Simply don't strip the tags. You can safely store the tags as text in your database without risk of injection (as long as you use mysql_real_escape_string() of course).

The area you may run into mischief is when you retrieve the text from the database and output it to a browser. If there are <script> tags in there, for example, they could lead to trouble.

02-12-2010, 06:57 PM
Yer, well that is what I need to do.

The form is allowing a student to enter their assignment which will include html, php and js code.

After the form is submitted the textarea is saved and then returned back to the form.

The form is pretty simple:

<div class="assign" >
<form name="main_fm" action ='coaching1.php' method = 'POST'>
<span><input type='hidden' name = 'updt' value = 'yes' ></span>

<textarea id="TheTextArea" class="data1" rows="22" cols="82" name="x_assign"><?php echo $assign1 ?></textarea>
<div style="width:400px; margin:10px 0 0 174px; padding:10px; border:2px solid blue;float:left;" >
<input class="button1 bord" type="submit" value="Update Work Area">

The processing:

if (@$_POST['updt'] == "yes" ){
$N_assign = $_POST['x_assign'];
$Db_assign = safe_sql($_POST['x_assign']);

$sql = "UPDATE clients SET assign1 = '$Db_assign' WHERE client_id = '$user' ";

mysql_query($sql)or die("could not UPDATE client". mysql_error());
} // end if

$sql = "SELECT * FROM clients WHERE client_id = '$user' ";
$result = mysql_query($sql) or die("could not execute FIND MEMBER $user");
if(mysql_num_rows($result) == 0 ){
$err_msg2 = "Your client details were not recognized.";
require_once ("index_fm.php");
} // end if

else { // i.e. THE CLIENT DOES EXIST
$row = mysql_fetch_assoc($result);

I don't display the data any where else, just in the textarea of the form to enable continuous updating.

Any ideas what I can do ?

BTW - I took out the strip_tags and it now displays great, but
I am a bit worried about the possible injectiion use "script" tag.

How do forums protect themselves ?


02-13-2010, 03:13 AM
htmlspecialchars or htmlentities. Never echo raw, unsanitised input/output.

02-13-2010, 05:53 AM
OK - that's great

So I used this in the form:

<?php echo htmlentities($assign1, ENT_QUOTES); ?>

And now when I look at the source code, I have this:

&lt;div class=&#039;stages&#039;&gt;&lt;span&gt;Setting Up &lt;/span&gt;&lt;/div&gt;

&lt;div class=&quot;video&quot; &gt;

Which looks ugly as sin, but I guess is pretty safe.

Of course it looks fine in the browser.


02-18-2010, 02:07 AM
You could add the additional argument to the strip_tags() function.

The second (optional) argument is a list of tags you allow in the string.

For example, I'm posting a new blog entry, and want to be able to use the paragraph and bold tag. I'd do this:

$blog = $_POST['blog'];
$blog = trim($blog);
$blog = strip_tags($blog, '<p><b>');
$blog = mysql_real_escape_string($blog);