most forums do this
<?php
htmlentities($input);
--save input
-- get output
if($html == 'on'){
$output = hymlentities_decode($output);
}
print($output);
exit();
?>
Seraphim wrote:
Anders Thoresson wrote:
I've seen both guest books and user forums "hacked" by users who
enter javascript or other code, and that way redirects vistors to
other sites or do other unwelcome things. What expressions should I
look for and not allow in my forms?
I use the htmlspecialchars() function to disable all html. This function
basically puts a '\' in front of eacht html character and thus disables all
html.
You may not want to do this if you want to allow, for example <b></b> or
other friendly html. If so you can use a regex to disable the <script> or
</table> tags.
Now that I think about it, it might be better to disable all html and later
enable <i>,<b> etc (or define your own, like a lot of forums seem to do).
-Peter
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
