2

I'm quite new here. I'm trying to make a blog/journal site that allows users to post their own journal. I'm still quite reluctant on making it because I am really afraid of malicious code injections.

So here's a sample code:

 <?php
 $test = "<b>blah</b>"; //User input from SQL
 echo "$test";
 ?>

What will come out is just the word "blah" in bold right? What I was trying to achieve was to echo "<b>blah</b>" instead. I don't want people to put some PHP codes that can actually mess up my whole web page. Please keep in mind that the variable $test is actually a MYSQL query, so that variable will be needed as an example. I know you can do echo '$test'; but it just comes out as "$test" instead. I feel like pulling my hair out I can't figure it out yet.

The second solution I know of is the htmlspecialchars(); function, but I want the strings to display as what I typed, not the converted ones...

Is there any way I can do that?

Improve this question
7
  • strip_tags() Commented Dec 28, 2012 at 15:27
  • 1
    To remove the HTML from the string, check out strip_tags(). Commented Dec 28, 2012 at 15:27
  • FYI:single quotes will display things almost completely as is. php.net/manual/en/… Commented Dec 28, 2012 at 15:30
  • 5
    PHP code.. not PHP codes, they're not the nuclear launch secrets. Commented Dec 28, 2012 at 15:30
  • 1
    @cristi_b: always prepare your sql-statments when dealing with user input to prevent injection... anyway: this is not the issue at hand here. If you really insist on sending raw html to the client, without encoding the html entities first, you'll have to change the header to plain text... there's no alternative AFAIK Commented Dec 28, 2012 at 15:33

4 Answers 4

Reset to default
2

I think the OP wants the HTML itself to be output to the page, and not have the tags stripped. To achieve this, you can run the string first through htmlentities()

$test = '<b>blah</b>';
echo htmlentities($test);

This will output:

&lt;b&gt;blah&lt;/b&gt;

Which will render in the page as

<b>blah</b>
Improve this answer
Sign up to request clarification or add additional context in comments.

5 Comments

Now what's the difference between htmlspecialchars()?
Hey, I guess that worked. Using this function, I can use str_replace to allow only certain codes to be executable. Thanks!
Still I don't get. So, htmlentities() replaces lesser characters compared to htmlspecialchars() right?
The difference lies in how they handle character sets and whether or not you are outputting to XML or HTML. In fact, htmlentities will replace more characters than htmlspecialchars.
htmlspecialchars suffices for the HTML special characters; no need to use htmlentities unless you can’t use certain characters due to a limited output character set.
2

Echo don't execute PHP code from string. This is impossible and this is not security hole in your code.

Improve this answer

2 Comments

You know, if you read from a database based on a user input, that $test inside the echo can be mess with right? For example, the user types test"; exit; or something like that in the variable, the user can mess up the page right? I hope you understand what I meant.
There is any way for run PHP code what you load from database - this special function - eval(). All others functions not executed code from string. If user entered exit() in string then echo will print this string as is: "exit();" and not execute it - just print.
1

You can use a template engine like Twig for exemple.

Improve this answer

Comments

0

If htmlspecialchars(); is not the one you are looking for, try the header() option.

header('Content-type: text/plain');

When you are gonna give <b>Hi</b> to a browser, it will be displayed in Bold and not the text be returned. But you can try this way, outputting it inside a <textarea></textarea>.

Or the other way is to use htmlentities():

<?php
$test = "<b>blah</b>"; //User input from SQL
echo htmlentities("$test");
?>
Improve this answer

1 Comment

Thanks, that would be the best answer. I can use str_replace for this to allow only certain codes to be displayed, correct?

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.