Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 6 of 6
  1. #1
    Senior Coder
    Join Date
    May 2006
    Posts
    1,674
    Thanks
    28
    Thanked 4 Times in 4 Posts

    How do I keep HTML code in a textarea when submitted?

    Hi,

    I have a textarea box for submission in a form and I want to be
    able to allow the html code and php code to be submitted
    - but render it harmless.

    Actually exactly the same way that this forum works.

    Usually I process all my form submitted variables ( inc textareas )
    through the following function:

    PHP Code:
    function safe_sql$value )
    {
         
    $value strip_tags(trim($value));
             
        
    // Stripslashes
            
    if (function_exists('get_magic_quotes_gpc') && get_magic_quotes_gpc())  {
            
    $value stripslashes($value);
        }
        
    // Quote if not integer
        
    if (!is_numeric($value)) {
            
    $value mysql_real_escape_string($value);
        }
        return 
    $value;
    // End of Function 
    That is fine for normal use as it protects me from injection attacks.

    But it is stripping out all the html where as I want
    it to stay in but be rendered harmless.

    Does anyone know what I should be using to allow this to happen ?

    Thanks



    .
    If you want to attract and keep more clients, then offer great customer support.

    Support-Focus.com. automates the process and gives you a trust seal to place on your website.
    I recommend that you at least take the 30 day free trial.

  • #2
    UE Antagonizer Fumigator's Avatar
    Join Date
    Dec 2005
    Location
    Utah, USA, Northwestern hemisphere, Earth, Solar System, Milky Way Galaxy, Alpha Quadrant
    Posts
    7,691
    Thanks
    42
    Thanked 637 Times in 625 Posts
    Simply don't strip the tags. You can safely store the tags as text in your database without risk of injection (as long as you use mysql_real_escape_string() of course).

    The area you may run into mischief is when you retrieve the text from the database and output it to a browser. If there are <script> tags in there, for example, they could lead to trouble.

  • #3
    Senior Coder
    Join Date
    May 2006
    Posts
    1,674
    Thanks
    28
    Thanked 4 Times in 4 Posts
    Yer, well that is what I need to do.

    The form is allowing a student to enter their assignment which will include html, php and js code.

    After the form is submitted the textarea is saved and then returned back to the form.

    The form is pretty simple:

    PHP Code:
    <div class="assign" >
         <form name="main_fm" action ='coaching1.php' method = 'POST'>
               <span><input type='hidden' name = 'updt' value = 'yes' ></span>
                 
                 <div>
                 <textarea id="TheTextArea" class="data1" rows="22" cols="82" name="x_assign"><?php echo $assign1 ?></textarea>
                  </div>
                    <div style="width:400px; margin:10px 0 0 174px; padding:10px; border:2px solid blue;float:left;" >
                     <br><br><br>
                   <input class="button1 bord" type="submit" value="Update Work Area">
                  </div>
                </form>
       </div>
    The processing:

    PHP Code:
    if (@$_POST['updt'] == "yes" ){ 
         
    $N_assign $_POST['x_assign'];
         
    $Db_assign safe_sql($_POST['x_assign']);
         
         
    $sql "UPDATE clients SET assign1 = '$Db_assign' WHERE client_id =  '$user' ";
        
         
    mysql_query($sql)or die("could not  UPDATE client"mysql_error());  
    }  
    // end if

    $sql "SELECT * FROM clients WHERE client_id =  '$user' ";
    $result mysql_query($sql)    or die("could not execute FIND MEMBER $user");
      if(
    mysql_num_rows($result) == ){
          
    $err_msg2 "Your client details were not recognized.";
              require_once (
    "index_fm.php");
                exit;
              } 
    // end if
            
        
    else {               //    i.e. THE CLIENT DOES EXIST
                 
    $row mysql_fetch_assoc($result);
                 
    extract($row);
            } 
    I don't display the data any where else, just in the textarea of the form to enable continuous updating.

    Any ideas what I can do ?


    BTW - I took out the strip_tags and it now displays great, but
    I am a bit worried about the possible injectiion use "script" tag.

    How do forums protect themselves ?



    .
    Last edited by jeddi; 02-12-2010 at 07:06 PM.
    If you want to attract and keep more clients, then offer great customer support.

    Support-Focus.com. automates the process and gives you a trust seal to place on your website.
    I recommend that you at least take the 30 day free trial.

  • #4
    Senior Coder
    Join Date
    Jul 2009
    Location
    South Yorkshire, England
    Posts
    2,318
    Thanks
    6
    Thanked 304 Times in 303 Posts
    htmlspecialchars or htmlentities. Never echo raw, unsanitised input/output.

  • #5
    Senior Coder
    Join Date
    May 2006
    Posts
    1,674
    Thanks
    28
    Thanked 4 Times in 4 Posts
    OK - that's great

    So I used this in the form:

    PHP Code:
    <?php echo htmlentities($assign1ENT_QUOTES); ?>
    And now when I look at the source code, I have this:


    &lt;div class=&#039;stages&#039;&gt;&lt;span&gt;Setting Up &lt;/span&gt;&lt;/div&gt;

    &lt;div class=&quot;video&quot; &gt;
    Which looks ugly as sin, but I guess is pretty safe.

    Of course it looks fine in the browser.

    Thanks
    If you want to attract and keep more clients, then offer great customer support.

    Support-Focus.com. automates the process and gives you a trust seal to place on your website.
    I recommend that you at least take the 30 day free trial.

  • #6
    New Coder
    Join Date
    May 2009
    Location
    Pennsylvania, United States
    Posts
    54
    Thanks
    16
    Thanked 0 Times in 0 Posts
    You could add the additional argument to the strip_tags() function.

    The second (optional) argument is a list of tags you allow in the string.

    For example, I'm posting a new blog entry, and want to be able to use the paragraph and bold tag. I'd do this:

    PHP Code:
    $blog $_POST['blog'];
    $blog trim($blog);
    $blog strip_tags($blog'<p><b>');
    $blog mysql_real_escape_string($blog); 


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •