Solved

allow html tags in textboxes to submit

Posted on 2002-05-26
12
800 Views
Last Modified: 2012-05-04
hi,
i've been 'messing' around with several functions (htmlsspecialchars, strip_tags,...) but can not get to work as it should...

if a user enters html tags, e.g.
<input type="text" value="some value" name="somename">

then presses submit, i want this text to be added to the database,
and when it is viewed again,
it either shows a real textbox (NOT good) or it shows nothing at all (even worse), depending on the functions i use.

also, when a user enters a url or an email address, can this be show as a clickable url or email address?

i defenitly need some good advice on all procautions to write to a db, and to retrieve the data again.
i also use nl2br to cleanup the /n's into <br> tags, only when retrieving data.

300 for the one who can make this clear so i can get this into my head...

cheers
Ricky
0
Comment
Question by:Paurths
  • 7
  • 4
12 Comments
 
LVL 5

Accepted Solution

by:
dkjariwala earned 300 total points
Comment Utility
First thing.
What you want to do ?

Do you want to allow ppl to use HTML tags ?
If your answer is NO,

Then just use htmlentities to your variable so that when you store the data in db and retrieve back, it would be displayed exactly as person typed rather than
some messy html.

so lets say your input name is 'somename'

get value in variable by

$somename = htmlentities($HTTP_POST_VARS['somename']); //assuming form is submitted using POST.

Now if person has typed,

<a href="mailto:me@me.com">mail me</a>

Then it would get stored as

&lt;a href=&quot;mailto:me@me.com&quot;&gt;mail me&lt;/a&gt;

in variable $somename.

So no person can put in some HTM and screw your output.

That is good. But, sometimes you would like person to use some tags but block others.
Say use of <b> tag is not at all harmful. so you would like to allow it.

In that case use,

strip_tags, like

$somename = strip_tags($somename,'<b>');

so $somename would STRIP all tags except <b> !! Mind well, here you would be actually loosing information person typed.
Lets say person used img tag, if you use strip_tags, all that will be removed. ( where in htmlentities it is converted so that it gets displayed instead of being rendered by browser.)

Now you would like to convert URL to clickable one.

Here you would have to write few regexps.

Check this,

$somename =eregi_replace("([ \r\n])www\\.([^ ,\r\n]*)","<a href=\"http://www.\\2\">\\2</a>",$somename);
$somename =eregi_replace("([ \r\n])http://([^ ,\r\n]*)","<a href=\"http://\\2\">\\2</a>",$somename);
$somename =eregi_replace("([ \r\n])https://([^ ,\r\n]*)","<a href=\"https://\\2\">\\2</a>",$somename);
$somename =eregi_replace("([ \r\n])ftp://([^ ,\r\n]*)","<a href=\"ftp://\\2\">\\2</a>",$somename);
$somename =eregi_replace("^http://([^ ,\r\n]*)","<a href=\"http://\\1\">\\1</a>",$somename);
$somename =eregi_replace("^https://([^ ,\r\n]*)","<a href=\"https://\\1\">\\1</a>",$somename);
$somename=eregi_replace("^ftp://([^ ,\r\n]*)","<a href=\"ftp://\\1\">\\1</a>",$somename);
$somename=eregi_replace("^www\\.([^ ,\r\n]*)","<a href=\"http://www.\\1\">\\1</a>",$somename);


So this statements takes care of many possiblities person may have typed url and convert in to clickable one.

Now converting new lines to <br>.
Now here you have two options.
1. Either store new lines as <br> itself, or
2.convert new lines to <br> when displaying.

If 1) then you would do
     $someone = nl2br($someone)
     and then store $someone in DB. So all your new lines are permanently replaced by <br> tags.
     This is not much preferable as you might sometime want to send mail using DB data in which case <br> would appear in mail.
if 2) then don't do anything just store $someone in DB.
     When you want to display it,
     Fetch value from DB,
     then do like $display_value = nl2br($someone);
     and output $display_value.

also you should take care of single quote/double quote when you insert data in db.
and it is very easy too.
just do like

if(! get_magic_quotes_gpc())
     $someone = addslashes($someone);

This code takes care that if MAGIC_QUOTES is not on ( which automatically escapes quotes ) , you manually escape the quotes. :)

I hope this makes things clear to you.
JD

     






0
 
LVL 7

Expert Comment

by:axis_img
Comment Utility
Hey Ricky...

I normally leave the data as-is when entering it into the database, although there are exceptions to this rule. In other words, I am referring to the following scenario:

User is entering html tags into a textarea, and submits the form. I will normally insert this data into the database as is (without stripping the html tags and/or nl2br). The reason for this is because my needs for displaying this data may change at a later date, so I would rather have the original content in there and just change my display routine as needed.

How you go about it though is really up to you. If the user is entering html code through the form, and you know for sure that it will never actually be rendered, but rather just displayed as text on the page, then you could just as well pass the string through htmlspecialchars() before inserting.

Another example would be how we have our user pages set up at my work. Our members can create/edit their own web page through a web interface. Obviously, the user should be able to see the html code in the textarea when they are editing it, but the code should actually render on the page when someone goes to their web page. Since the web page will normally get many more hits than the user's edit page, we save the html tags into the database, rather than convert them before inserting into the db. The reason for this is because there is more traffic to the user's web page, which in turn would involve more processing on each page if the text had to be converted every time we pulled it out of the db. Instead, it only needs to be converted when we pull it out of the db and put it into the textarea for the owner to edit.

So in reality, the method you use is dependant on the circumstances. Whether converting characters before inserting into the database, or pulling the original characters from the db and converting them before displaying; whichever happens to be more convenient for the situation.

If you have any specific questions regarding certain functions, feel free to let me know. I am about to go to bed, so I will check back in the morning to see if you have any questions.

Regards,
Barry
0
 
LVL 12

Author Comment

by:Paurths
Comment Utility
wow, thanks for this response.

it is starting to get clear now ( a little hehe)

so, JD,

suppose i would like to let the user use:
<B></B>
<U></U>
<I></I>

and the hyperlinks

but nothing else.

do i first use htmlentities to make sure textboxes, tables etc are 'dismantled', and then use str_replace to get the font-tags back in?
//strip tags
$txtcomment = htmlentities($HTTP_POST_VARS['txtcomment']);

//allow bold, replace with actual tags
$txtcomment = str_replace("$lt;b&gt;","<B>",$txtcomment);
     $txtcomment = str_replace("$lt;B&gt;","<B>",$txtcomment);
     $txtcomment = str_replace("$lt;/b&gt;","</B>",$txtcomment);
     $txtcomment = str_replace("$lt;/B&gt;","</B>",$txtcomment);


seems not to be working, it is nicely showing the data the user typed in (which in a way is good ofcourse)
cheers
Ricky
0
 
LVL 12

Author Comment

by:Paurths
Comment Utility
$txtcomment = str_replace("$lt;b&gt;","<B>",$txtcomment);

is ofcourse (not $ but &)

$txtcomment = str_replace("&lt;b&gt;","<B>",$txtcomment);
0
 
LVL 5

Expert Comment

by:dkjariwala
Comment Utility
The following seems to be working for me,

<?php

$check = "<a href=\"mailto:me@me.com\">mail me<a> <b> wow....</b>";



$check = htmlentities($check);

$check =str_replace("&lt;b&gt;","<b>",$check);
$check =str_replace("&lt;/b&gt;","</b>",$check);
print $check;


?>
0
 
LVL 12

Author Comment

by:Paurths
Comment Utility
it is working when i use str_replace on outputting the data again. (B, U and I)

this is excellent,

will test the links now, and re-comment

cheers
Ricky
0
What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 12

Author Comment

by:Paurths
Comment Utility
links are working as well.

email seems to trouble me...

getting close :-)
0
 
LVL 12

Author Comment

by:Paurths
Comment Utility
this is what i produced so far for email

$msg=eregi_replace("mailto:([^ ,\r\n]*)","<a href=\"mailto:\\1\">\\1</a>",$msg);

will only work if person enters this in textbox:
mailto:someaddress@domain.com

strange result with
<a href="mailto:someaddress@domain.com">click me</a>

what is clickable: someaddress@domain.com">click

bbbrrrr?
0
 
LVL 5

Expert Comment

by:dkjariwala
Comment Utility
Hello Ricky,

See there can not be 100% sure way to get everything corrected. You would have to draw line somewhere. And You should try to match up eamil  address by string which has '@' in it rather than looking for mailto: .

jd
0
 
LVL 12

Author Comment

by:Paurths
Comment Utility
thanx JD,

this helped me out quite a bit.
I decided emails are not allowed :-)

however, this gave me some idea's on other features,
adding smileys etc,

i changed the code and added a 'help' page, on how ot use these tags.
Instead of <B>bold</B> will show bold, it will show as it is.
If a user however types in: [B]this is bold[/B] then 'this is bold' will show as bold.
smileys are my next step hehe...

again,
thanx alot,

cheers
Ricky
0
 
LVL 5

Expert Comment

by:dkjariwala
Comment Utility
Smileys are also not difficult. Simple str_replace does the task.

$text = str_replace(":)","<img src="smiley.gif">",$text);

So :) would be replaced by image of smily !! simple, isnt it ??

JD
0
 
LVL 12

Author Comment

by:Paurths
Comment Utility
yep, its already working

cheers
Ricky
0

Featured Post

Easy Project Management (No User Manual Required)

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Wordpress Query 1 30
PHP and Soap 3 26
MySQL database data submission 7 37
delete database record with modal 21 27
Things That Drive Us Nuts Have you noticed the use of the reCaptcha feature at EE and other web sites?  It wants you to read and retype something that looks like this.Insanity!  It's not EE's fault - that's just the way reCaptcha works.  But it is …
This article discusses how to create an extensible mechanism for linked drop downs.
The viewer will learn how to dynamically set the form action using jQuery.
The viewer will learn how to look for a specific file type in a local or remote server directory using PHP.

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

6 Experts available now in Live!

Get 1:1 Help Now