PHP General,
1. The Situation:
I have a forum in which users can enter text which is then displayed on my web site. I want to be able to allow them to insert their own <a href> tags to provide links. The text is stored in a MySQL database.
2. The Problem:
My understanding is that if the input of HTML tags or other coding elements is left unrestricted, then the potential is there for users to cause damage either maliciously or by accident by inserting scripts or MySQL commands. Although the users who have access to the text input forms have to pass a username and password check first, I would still rather be safe than sorry. Mostly I am concerned about people unfamiliar with HTML inserting incorrect code which may break the page design.
3. The Question:
Can I set up a PHP script which will strictly only allow instances of <a href="???"> and </a> and absolutely nothing else? I would like the default behavior to be that if any other tag element, or use of "<" or ">" be simply deleted from the text before inserting it into the database. I could reject text with incorrect tags altogether, but then I'll be spending a lot of time explaining how to correct code to people who are anxious to get their text on the site. Far better that they at least be able to get basic text up even when they mess up the code they want to insert.
Can this be done?
Will it be sufficient to protect the system against bad code?
4. What I've Done So Far:
I've looked into the *htmlspecialchars()* <http://jp.php.net/manual/en/function.htmlspecialchars.php> and *htmlentities(), thinking that they perhaps could pull out characters used in tags, but they seem to be more for formatting script, not filtering it.* <http://jp.php.net/manual/en/function.htmlentities.php>
I'm assuming I need a string_replace() code of some kind. But I'm lost as to how to specify to allow "<" only when immediately followed by either "a href =" or "/a>" and accept no other instances.
It was when I realized that people might potentially be able to insert some Java Script inside of the quotes after "href=" that I realized I was in over my head.
Any help much appreciated. ** <http://jp.php.net/manual/en/function.htmlentities.php>
-- Dave Gutteridge dave@xxxxxxxxxxxxxxx Tokyo Comedy Store http://www.tokyocomedy.com/english/
-- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php