Deleting javascript in textarea?
Posted: Sun Dec 09, 2007 9:53 am
Hi all, I am new to PHP.
I was thinking about validating text inputs. For things such as email address, passwords, usernames etc. I can just use validation to check the chars and the pattern of the string. This I understand.
However, what if we allowed users to write into a blog, and this inturn got passed into a database to get stored and retrived? What are the techniques to reduce the possibilty of users entering commands? - I can not really use any pattern, and more charaters are likely to be used in a blog then something I can set limits on, such as a username or email (only letters and numbers, 6-12 chars long for example)
Also, lets say a user wanted to type in some javscript in this blog textarea input, so they would start it with <SCRIPT language="JavaScript"> CODE HERE </SCRIPT> - I know I can use str_replace() to replace these tags with '' (i.e nothing - delete them) - but what about the code inbetween - is there a function I can use to replace code inbetween two strings? Or is there a better way of doing this too?
I havn't started to write any code - just thinking about it.
Basically want a way so that if a user trys to enter javascript into a blog space, it will automatically delete it (from opening tags to closing tags), and escapes/gets rid of any code that could be harmful or executed...
I was thinking about validating text inputs. For things such as email address, passwords, usernames etc. I can just use validation to check the chars and the pattern of the string. This I understand.
However, what if we allowed users to write into a blog, and this inturn got passed into a database to get stored and retrived? What are the techniques to reduce the possibilty of users entering commands? - I can not really use any pattern, and more charaters are likely to be used in a blog then something I can set limits on, such as a username or email (only letters and numbers, 6-12 chars long for example)
Also, lets say a user wanted to type in some javscript in this blog textarea input, so they would start it with <SCRIPT language="JavaScript"> CODE HERE </SCRIPT> - I know I can use str_replace() to replace these tags with '' (i.e nothing - delete them) - but what about the code inbetween - is there a function I can use to replace code inbetween two strings? Or is there a better way of doing this too?
I havn't started to write any code - just thinking about it.
Basically want a way so that if a user trys to enter javascript into a blog space, it will automatically delete it (from opening tags to closing tags), and escapes/gets rid of any code that could be harmful or executed...