No html input in my PHP guestbook
DiggBlinkRedditDeliciousTechnorati
question by Rob | Moderate
Hi there,
this might be a simple question to you, but it's a big problem to me. Lately, I'm getting a lot of spam-messages on my guestbook. I've been told that its because it is possible to use html when filling out the form.
I was wondering if there was a php-code that can prevent users from putting html code into the form. And of course, people should get a warning if they do put in html...
Could you please help me out?
Thanks
Rob
Post reply
Subscriptions
Re: No html input in my PHP guestbookreply by Srirangan Rob,
You can use the strip_tags() to strip all html tags from a string.
Example 1. strip_tags() example
<?php
$text = '<p>Test paragraph.</p><!-- Comment --> Other text';
echo strip_tags($text);
echo "\n";
// Allow <p>
echo strip_tags($text, '<p>');
?>
Captcha's can also be used to prevent post spam. Cheers!
- Sri
Post reply
Subscriptions
Re: No html input in my PHP guestbookreply by Rob Hi, thanks for replying that quick!
If you see the code I'm using (see below), should I integrate your code into the
$query .= $_POST["input"] ."', '"; -part ?
here's the code i'm using:
<?php
/*
Let op: dit script is wellicht niet zonder meer te gebruiken op uw server.
Maak eerst een database aan met de velden id, voornaam, achternaam,
email, datum en bijdrage, op de wijze zoals in het boek wordt beschreven.
Neem ook de juiste gegevens op voor uw hostname, databasename, enzovoort.
*/
// variabelen initialiseren:
// $username = "uw_gebruikersnaam";
// $password = "uw_wachtwoord";
include("conf.php");
$dbnaam="gastenboek";
$db=mysql_connect($host,$user,$password) or die (mysql_error());
mysql_select_db($dbnaam, $db) or die (mysql_error());
if (empty($_POST)){
// eerst controleren of pagina wel is aangeroepen vanuit gastenboek
echo("Schrijf eerst <a href=\"gastenboek.php\">a message</a>");
exit();
}else{
// OK, Query opbouwen met variabelen in $_POST
$query="INSERT INTO gastenboek (firstname, name, email, input, date) ";
$query .= "VALUES ('"; // let op positie van de enkele aanhalingstekens
$query .= $_POST["firstname"] ."', '" ;
$query .= $_POST["name"] ."', '" ;
$query .= $_POST["email"] ."', '" ;
$query .= $_POST["input"] ."', '";
$query .= $_POST["date"] . "');" ;
$result = mysql_query($query) or die ("FOUT: " . mysql_error());
}
?>
thanks
Post reply
Subscriptions
Re: No html input in my PHP guestbookreply by Srirangan Try changing this
$query .= $_POST["input"] ."', '";
to
$query .= strip_tags($_POST["input"]) ."', '";
:-)
PS: You have passwords posted in the comment above, you might want to post a message in the community asking the admin to edit your post and remove the password.
Post reply
Subscriptions
Re: No html input in my PHP guestbookreply by Rob thanks for the concern. The password='...' you see however is linked to another file. The code initialises the password from the second file...
I changed the code. As far as I can see, i can stll put in html-code. I'll check out the php manuel...
Thanks
Rob
Post reply
Subscriptions
Re: No html input in my PHP guestbookreply by Bejaan Yes, strip_tags() can be used to remove unwanted HTML code by I think Captcha's should be used to make sure the person submitting the form is indeed a real human being.
Post reply
Subscriptions
Re: No html input in my PHP guestbookreply by mastercomputers I know exactly what you would want, and it's not strip_tags, that will remove tags, but will still leave the content in it. It also has a problem with detecting ending elements, especially if you forgot to close an element, it might remove the wrong elements.
What you're wanting to do is not allow any sort of HTML, which means you'd be after a means to detect if any user is using HTML elements and instead of processing the script, give them an error message.
I would recommend using Javascript and PHP, Javascript just as a first layer protection while PHP will just mimic it's protection but caters for when Javascript is not enabled on the end user's browser.
I suppose you would rather the code, but I do not know where you would find this, I'm currently working on writing such code for one of my projects but in the meantime I am using htmlspecialchars to convert special characters into their entity names and display it as plain text rather than have the browser render it. This also helps avoid unicode characters used mainly in phishing/spamming, e.g. the bi-directional override characters that can make text appear in reverse/backwards (RTL) and then appear normal using (LTR).
If you want an idea of what it'd involve, now would be a good time to start learning regular expressions, as this seems to be the best means of searching within a string for matches of HTML elements.
Post reply
Subscriptions
Got a PHP Question?
Just Sign Up and ask the top PHP experts!
|