Posted by Dave on 02/25/05 10:36

PHP General,

1. The Situation:
I have a forum in which users can enter text which is then displayed
on my web site. I want to be able to allow them to insert their own <a
href> tags to provide links. The text is stored in a MySQL database.

2. The Problem:
My understanding is that if the input of HTML tags or other coding
elements is left unrestricted, then the potential is there for users to
cause damage either maliciously or by accident by inserting scripts or
MySQL commands. Although the users who have access to the text input
forms have to pass a username and password check first, I would still
rather be safe than sorry. Mostly I am concerned about people unfamiliar
with HTML inserting incorrect code which may break the page design.

3. The Question:
Can I set up a PHP script which will strictly only allow instances
of <a href="???"> and </a> and absolutely nothing else? I would like the
default behavior to be that if any other tag element, or use of "<" or
">" be simply deleted from the text before inserting it into the
database. I could reject text with incorrect tags altogether, but then
I'll be spending a lot of time explaining how to correct code to people
who are anxious to get their text on the site. Far better that they at
least be able to get basic text up even when they mess up the code they
want to insert.
Can this be done?
Will it be sufficient to protect the system against bad code?

4. What I've Done So Far:
I've looked into the *htmlspecialchars()*
<http://jp.php.net/manual/en/function.htmlspecialchars.php> and
*htmlentities(), thinking that they perhaps could pull out characters
used in tags, but they seem to be more for formatting script, not
filtering it.* <http://jp.php.net/manual/en/function.htmlentities.php>
I'm assuming I need a string_replace() code of some kind. But I'm
lost as to how to specify to allow "<" only when immediately followed by
either "a href =" or "/a>" and accept no other instances.
It was when I realized that people might potentially be able to
insert some Java Script inside of the quotes after "href=" that I
realized I was in over my head.

Any help much appreciated.
** <http://jp.php.net/manual/en/function.htmlentities.php>

--
Dave Gutteridge
dave@tokyocomedy.com
Tokyo Comedy Store
http://www.tokyocomedy.com/english/

• Next in thread: Re: [PHP] [NEWBIE] How to allow for <a href> tags but no others?
• Next in forum: Re: SV: SV: SV: [PHP] Copy? - What am I doing wrong???
• Prev in forum: PHP Extensions & Pass-By-Reference
• Thread view: [NEWBIE] How to allow for <a href> tags but no others?

[Reply to this message]