MyBB Community Forums

MyBB Community Forums > Community > General Discussion > Web Development and Administration > HTML Security
Full Version: HTML Security
You're currently viewing a stripped down version of our content. View the full version with proper formatting.
Pages: 1 2

Eric

2010-09-28, 08:20 AM
(2010-09-28, 07:07 AM)Anman Wrote: [ -> ]Just do

echo htmlentities($_POST['message']);

Actually, this worked perfectly.

But now, when someone submits the form with a message, name, or otherwise with an apostrophe it gives me an error. Any quick fixes for this as well? I tried striptags but I suppose I have it in the wrong place as well.








EDIT: NVM, figured it out. Big Grin

magicstuff

2010-09-29, 08:38 AM
echo htmlentities(stripslashes($_POST['message']));

should do the trick

Eric

2010-09-29, 11:36 AM
Alright, I'm using htmlentities, htmlspecialchars, and stripslashes, and with them, for some reason my output is:

Quote:<b>Test</b>

That's from typing:

Quote:<b>Test</b>

Help would be appreciated. :X

Anman

2010-09-29, 04:20 PM
Just use htmlentities() not htmlspecialchars(). The problem is they almost the exact same thing and the text is getting escaped twice.

If you want you can hit me up on MSN too ([email protected]) I'm on most of the time.

Eric

2010-09-29, 08:00 PM
Took out htmlspecialchars() still have the same problem.

Anman

2010-09-30, 12:31 PM
Post the line of code, please.

Diogo Parrinha

2010-10-02, 01:37 PM
Note that htmlentities is way slower than htmlspecialchars.

If you want to sanitize about 50 variables, I would recommend you to go with the latter.

htmlspecialchars sanitizes things properly. htmlentities converts all HTML entities instead of the ones referred here:
http://www.php.net/manual/en/function.ht...lchars.php

Ryon H

2010-11-05, 03:02 AM
<no real input on the problem at hand>

Quote:But now, when someone submits the form with a message, name, or otherwise with an apostrophe it gives me an error

When complaining about an error, do the following:

1) Tell us the error. Don't describe it; quote the actual error. Then tell us what you did to get this error.
2) Show us the 10 lines preceding and 10 lines after the line the error is on
3) Consult the manual to make sure you are Doing It Right.
4) Google for a bit. It helps.

</etc>

Anman

2010-11-07, 09:59 AM
Not bad ideas, #3 could be consolidated into RTFM. Ten lines seems like a strange number though; usually you don't need more than the line before it and the line itself if you're getting an error. Of course, when you use eval() like MyBB does things get a bit more complicated than that. Moral of the story? Eval is evil.

Ryon H

2010-11-07, 11:03 PM
Quote:Eval is evil.

That's not the half of it. I've lost my voice to screaming and went bald from pulling my hair out at some of the things in the code. Luckily, MyBB 2.0 is going to be so much better that I'll be able to sing opera and have the hair of Sampson
Pages: 1 2
MyBB Community Forums > Community > General Discussion > Web Development and Administration > HTML Security