Detecting quotes and html tags

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
BigAbe
Forum Commoner
Posts: 66
Joined: Fri Mar 31, 2006 7:41 pm

Detecting quotes and html tags

Post by BigAbe »

I'm working with a form where the user can enter in a brief summary and I want to prevent any misuse of quotes or html.

When I try to submit the following entry to the DB, the quotation marks and anything after it gets removed.

I'm already using stripslashes, but that's it right now.

How can I prevent quotation marks from causing any issues as well as html tags or even worse javascript?

Thanks,

-- Abe --
santosj
Forum Contributor
Posts: 157
Joined: Sat Apr 29, 2006 7:06 pm

Post by santosj »

Code: Select all

$message = str_replace('<', '<', $message);
$message = str_replace('>', '>', $message);
There are better code snippets out there, but this should met your requirements. If you want to remove all of the tags, then you should try the PHP HTML functions. The only issue with them however is that they don't remove attributes well.
User avatar
hawleyjr
BeerMod
Posts: 2170
Joined: Tue Jan 13, 2004 4:58 pm
Location: Jax FL & Spokane WA USA

Post by hawleyjr »

BigAbe
Forum Commoner
Posts: 66
Joined: Fri Mar 31, 2006 7:41 pm

Post by BigAbe »

Thanks a bunch!

Before I got any replies, I managed to find strip_tags() and this seemed to be the best one for the job for removing the html. It's also taking care of any issues with the quotes.

Is anyone familiar with strip_tags() and know if there is any other precaution I should take?

Again, thanks for all your help everyone!

-- Abe --
User avatar
hawleyjr
BeerMod
Posts: 2170
Joined: Tue Jan 13, 2004 4:58 pm
Location: Jax FL & Spokane WA USA

Post by hawleyjr »

strip_tags() will remove all tags. If you want to show the tags but not allow them to do any damage you need to use htmlentities()
BigAbe
Forum Commoner
Posts: 66
Joined: Fri Mar 31, 2006 7:41 pm

Post by BigAbe »

hawleyjr wrote:strip_tags() will remove all tags. If you want to show the tags but not allow them to do any damage you need to use htmlentities()
Ah ok. Thanks for the heads up.

I don't want users to input any html codes, but in any future projects, I will definitely heed your advice!

Mahalo!

-- Abe --
User avatar
aerodromoi
Forum Contributor
Posts: 230
Joined: Sun May 07, 2006 5:21 am

Post by aerodromoi »

BigAbe wrote:
hawleyjr wrote:strip_tags() will remove all tags. If you want to show the tags but not allow them to do any damage you need to use htmlentities()
Ah ok. Thanks for the heads up.

I don't want users to input any html codes, but in any future projects, I will definitely heed your advice!

Mahalo!

-- Abe --
There is one advantage to htmlentities though - you actually see what has been posted.

aerodromoi
Post Reply