// phpShack / PHP & MySQL Tutorials / Stripping HTML
 

Navigation





  

Stripping HTML

This is a very good practice and secures your scripts better if you strip the use of HTML tags from user input.

Lets just say you have a form that lets your users make a post to your site. By default they could post something like this instead of text:

<IFRAME SRC="http://google.com" WIDTH=450 HEIGHT=100>
</IFRAME>

So to keep that from happening you need to do the following with the input from the us


PHP Code Example:
<?
// $post is the variable that holds the user input from your script

$post $_POST['post']; // Put input into the variable $post
$post_text htmlspecialchars($post);

// Now $post_text holds the input with the HTML stripped out 
?>
Note: htmlspecialchars doesn't actually take the html out, it just don't run the code, instead just displays it

The users post would now print this to the screen instead of executing the HTML:
<IFRAME SRC="http://google.com" WIDTH=450 HEIGHT=100>
</IFRAME>

If you done a view source on the html you would see this:
&lt;IFRAME SRC=&quot;http://google.com&quot; WIDTH=450 HEIGHT=100&gt;
&lt;/IFRAME&gt;