Instead of allowing your users to enter <a> tags, why don't you put them in
your own web page and just let them enter the url?
For instance you would have your form:
<form method="post" action="thepage.php">
<input type="text" size="40" name="url">
...
</form>
The action page (thepage.php) could include something like:
<?php if(isset($_POST["url"])):
$url= $_POST["url"];
$sql= "INSERT INTO thetable SET url= $url";
mysql_query($sql); ?>
And when you retrieve it from the database you write your own link:
<a href="<?=$url?>">Thelink</a>
instead of relying on the user's html proficiency and/or good intentions,
which looks like a big source of problems.
Hope his helps
Alberto Brea
-----Original Message-----
From: Dave <dave@xxxxxxxxxxxxxxx>
To: php-general@xxxxxxxxxxxxx
Date: Fri, 25 Feb 2005 17:36:31 +0900
Subject: [NEWBIE] How to allow for <a href> tags but no others?
> PHP General,
>
> 1. The Situation:
> I have a forum in which users can enter text which is then
> displayed
> on my web site. I want to be able to allow them to insert their own <a
> href> tags to provide links. The text is stored in a MySQL database.
>
> 2. The Problem:
> My understanding is that if the input of HTML tags or other coding
> elements is left unrestricted, then the potential is there for users to
> cause damage either maliciously or by accident by inserting scripts or
> MySQL commands. Although the users who have access to the text input
> forms have to pass a username and password check first, I would still
> rather be safe than sorry. Mostly I am concerned about people
> unfamiliar
> with HTML inserting incorrect code which may break the page design.
>
> 3. The Question:
> Can I set up a PHP script which will strictly only allow instances
> of <a href="???"> and </a> and absolutely nothing else? I would like
> the
> default behavior to be that if any other tag element, or use of "<" or
> ">" be simply deleted from the text before inserting it into the
> database. I could reject text with incorrect tags altogether, but then
> I'll be spending a lot of time explaining how to correct code to people
> who are anxious to get their text on the site. Far better that they at
> least be able to get basic text up even when they mess up the code they
> want to insert.
> Can this be done?
> Will it be sufficient to protect the system against bad code?
>
> 4. What I've Done So Far:
> I've looked into the *htmlspecialchars()*
> <http://jp.php.net/manual/en/function.htmlspecialchars.php> and
> *htmlentities(), thinking that they perhaps could pull out characters
> used in tags, but they seem to be more for formatting script, not
> filtering it.* <http://jp.php.net/manual/en/function.htmlentities.php>
> I'm assuming I need a string_replace() code of some kind. But I'm
> lost as to how to specify to allow "<" only when immediately followed
> by
> either "a href =" or "/a>" and accept no other instances.
> It was when I realized that people might potentially be able to
> insert some Java Script inside of the quotes after "href=" that I
> realized I was in over my head.
>
> Any help much appreciated.
> ** <http://jp.php.net/manual/en/function.htmlentities.php>
>
> --
> Dave Gutteridge
> dave@xxxxxxxxxxxxxxx
> Tokyo Comedy Store
> http://www.tokyocomedy.com/english/
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
