View Full Version : How would I go about disabling html tags?

12-15-2006, 02:58 PM
K lemme explain more in depth,

what i rly need is like a tag or something in html that will replace like < to &lt;
you see I'm making a comment box, it works, sends information perfectly, working on the php now (dynamic includer :o) and well it just hit me... what if someone who knows a little bit of html and\or anyother web scripting languages? they could do some screwing (any is too much, even though it wouldn't be too much damage with just 1 page, but anyway...) how would i prevent this from happening, so my first idea.. if I stop html from actually working (for example, on www.pastebin.ca you could paste html tags without it triggering anything..... I want the same basic idea) I know I probably didn't make much sence, I hope someone gets me :)

I just want to prevent (but not disallow posting) html.
Again what I mean is I want it to show... just not end up as part of my website source, and the method I'm using to include a comment is <?php include("comments/".$_POST['user'].".txt"); ?> and I don't want it to mess wif my site source... any help is appreciated, thanks in advance!

12-15-2006, 03:43 PM
The PHP function htmlentities (http://nl3.php.net/manual/en/function.htmlentities.php).

12-15-2006, 04:30 PM
Hello Inoob,

can take the place of <

12-15-2006, 05:15 PM
Again what I mean is I want it to show... just not end up as part of my website source

Thats not possible.

As Vin0rz said, you can use the PHP htmlentities function to change <,>, and so on to &lt;, &gt; and so on.

However, then they will show up that way in the code. You can't have it both ways. In order for HTML to 'show', it has to be written in the source code.

You could use the PHP function strip_tags() (http://us3.php.net/manual/en/function.strip-tags.php) to allow certain tags, like <p> and <br />, and remove all the others, like <script>....

HTH, Dan

12-16-2006, 12:21 AM
$whatilike = array("\'",'\"');
$whatineed = array(''','"');
echo str_replace($whatilike,$whatineed,htmlspecialchars($_POST['comment']));

sorry about the php but it goes along with the previous post of mine :$

You see the $whatilike[0] will work, but $whatilike[1] // \" doesn't... the htmlspecialchars() changes all the < > ' " etc into ascii (or shud) but ' and " get prefixed with the ignore character (\) how would I in the final output change \' and \" to just ' and "?

(without doing a str_replace() to just simply remove it...)

12-16-2006, 01:20 AM
Whats wrong with doing a str_replace to 'just remove them'?

12-16-2006, 01:26 AM
... adding to whizard

It is dangerous to just remove all backslashes because this does harm when you are posting backslashes...

Inoob: The backslashes are there because by default php prepares incoming data (e.g. $_POST) for database queries. You also get the backslash prefixed: \\

What you want is

... stripslashes($_POST['comment'])

which does exactly what you want...

12-16-2006, 01:34 AM
Right.. good point