Anders Thoresson wrote: > I've seen both guest books and user forums "hacked" by users who > enter javascript or other code, and that way redirects vistors to > other sites or do other unwelcome things. What expressions should I > look for and not allow in my forms?
I use the htmlspecialchars() function to disable all html. This function basically puts a '\' in front of eacht html character and thus disables all html. You may not want to do this if you want to allow, for example <b></b> or other friendly html. If so you can use a regex to disable the <script> or </table> tags. Now that I think about it, it might be better to disable all html and later enable <i>,<b> etc (or define your own, like a lot of forums seem to do). -Peter -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
