Code: Select all
<?php
$text = str_replace('</textarea>', '', $_POST['ha']);
?>
<form action="thispage.php" method="post">
<input name="blah" value="<?= $_POST['blah'] ?>" />
<textarea name="ha"><?= $text ?></textarea>
</form>
Moderator: General Moderators
Code: Select all
<?php
$text = str_replace('</textarea>', '', $_POST['ha']);
?>
<form action="thispage.php" method="post">
<input name="blah" value="<?= $_POST['blah'] ?>" />
<textarea name="ha"><?= $text ?></textarea>
</form>
Code: Select all
// Call before you place user input on to the database
function MakeSafe($string)
{
$string = htmlentities($string);
$string = addslashes($string);
return $string;
}
// Call when you've retrieved the data and wish to display it
function MakeDisplayable($string)
{
$string = stripslashes($string);
$string = html_entity_decode($string);
return $string;
}Implied to me that some tags may not be acceptable (since we're discussing attacks perhaps <script> would be one to watch), and even if that isn't exactly what Cut meant I think it's worth consideration.The user will be legitimately inputting certain HTML tags