Stopping HTML passing to database

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
Addos
Forum Contributor
Posts: 305
Joined: Mon Jan 17, 2005 4:13 pm

Stopping HTML passing to database

Post by Addos »

Hi,
I have a form (textarea) where text can be inserted into a database by visitors to the site. I’m trying to stop unwanted spam in the form of anything HTML being passed to the database so I’m working with the following bit of script:

Code: Select all

$html = $_POST['GuestDetails'];
	 if (strpos($html, 'http://,html,www') ===0) {
	 $html = substr($html, 0);
	}
As I so new to all of this I wonder if anybody can tell me if I’m heading in the right direction and if this bit of script is likely to do the job.
Thanks a mil
Brian
User avatar
John Cartwright
Site Admin
Posts: 11470
Joined: Tue Dec 23, 2003 2:10 am
Location: Toronto
Contact:

Post by John Cartwright »

php_wiz_kid
Forum Contributor
Posts: 181
Joined: Tue Jun 24, 2003 7:33 pm

Post by php_wiz_kid »

What you could do is use str_replace to find < and > symbols and them replace them with html entities &lt; and &gt;

Example

Code: Select all

$string_to_find = ">";
$string_to_replace = ">";
$html = "<input type=\"text\" name=\"...\" value=\"<this is a test>\" />;
$html_string = str_replace($string_to_find, $string_to_replace, $html);

$string_to_find = "<";
$string_to_replace = "<";
$html = "<input type=\"text\" name=\"...\" value=\"<this is a test>\" />;
$html_string = str_replace($string_to_find, $string_to_replace, $html);
If you were to echo $html_string you would get (in source code):

Code: Select all

&amp;gt;this is a test&amp;lt
In a browser you would get (in a text box):

Code: Select all

&lt;this is a test&gt;

Another thing you could do is replace $string_to_replace with an empty string to not have any < > signs at all.

Code: Select all

$string_to_replace = "";
php_wiz_kid
Forum Contributor
Posts: 181
Joined: Tue Jun 24, 2003 7:33 pm

Post by php_wiz_kid »

If you're wanting to use HTML entities (changing < to <) you can use the htmlentities() function.
User avatar
m3mn0n
PHP Evangelist
Posts: 3548
Joined: Tue Aug 13, 2002 3:35 pm
Location: Calgary, Canada

Post by m3mn0n »

An even more clever thing would be to take all instances of http://www.*.com, http://www.*.net, and http://www.*.org and replace the * with your site name. :wink:

Check out regular expressions in the manual for more info.
Addos
Forum Contributor
Posts: 305
Joined: Mon Jan 17, 2005 4:13 pm

Post by Addos »

Thanks for you help and so far I have managed to start grabbing IPs and inserting them into a field in my MySQL database using the following:

Code: Select all

<input type="hidden" name="ip" 
        value="<?PHP 
if (!empty ($_SERVER['REMOTE_HOST'] )){ 
               print $_SERVER['REMOTE_HOST']; 
} else if    (!empty($_SERVER['REMOTE_ADDR'])){ 
print gethostbyaddr($_SERVER['REMOTE_ADDR']); 
} ?>">
Already I have used this on two sites and so far I have received the following IP’s which have been inserted into the database ( both exactly the same IP):

dialup.82.209.210.18.belpak.gomel.by

I have then setup a .htaccess page and inserted the following in the hope that I can block this somewhat:

Code: Select all

&lt;Limit GET POST&gt; 
order allow,deny 
allow from all 
deny from dialup.82.209.210.18.belpak.gomel.by 
&lt;/Limit&gt;
So based on all of this I have a few questions. Firstly I appreciate that this is probable very basic method with lots of workarounds but as I’m so beginning PHP and have never done this before I’m pleased that I have got this little result so far.

I appreciate that the IP can change too so I’m open to try and further develop this bit if script.

Also how do I add more than one IP to the following part of the script?
‘dialup.82.209.210.18.belpak.gomel.by’ for example if I try to add using a ‘,’ it seems to ignore the script e.g. dialup.82.209.210.18.belpak.gomel.by, 123.456.789 etc

So far blocking this IP has stopped the 4 or more a day spam entries that were going into this guestbook!

Thanks very much for all you help
Brian
Post Reply