Solved

How to strip HTML from text input field

Posted on 2009-04-10
27
594 Views
Last Modified: 2013-12-12
I need help altering my code to remove HTML formatting that might be entered into a comments box.  Here is the code being used to submit the form.
<?php  
require_once("dbConnection.php");  
if($_POST['Submit'] == "Add Comment"){ 
 
  
// Open Database Connection  
 $dbLink = mysql_connect($dbHost, $dbUser, $dbPass); 
 if (!$dbLink){ 
   die ("Database: Couldn`t connect to mySQL Server"); 
 } 
 mysql_select_db($dbName, $dbLink)  
  or die ("Database: Couldn`t open Database");  
 
 // Read data to insert into Database 
 if (!get_magic_quotes_gpc()) { 
  $name = addslashes($_POST['frmName']); 
  $comment = addslashes($_POST['frmComment']); 
  $articleID = addslashes($_POST['frmArticleID']); 
 } else { 
  $name = $_POST['frmName']; 
  $comment = $_POST['frmComment']; 
  $articleID = $_POST['frmArticleID']; 
 }
 // Create Date Time Field 
 $dateTime = date("Y-m-d H:i:s"); 
  
  // Create SQL Query and Execute 
 $sql = "INSERT INTO comments (article,postDateTime,name,comment) 
VALUES ("; 
 $sql .= "'" . $articleID . "',"; 
 $sql .= "'" . $dateTime . "',"; 
 $sql .= "'" . $name . "',"; 
 $sql .= "'" . $comment . "'"; 
 $sql .= ")"; 
 mysql_query($sql,$dbLink); 
  
 // Close Database Connection  
 mysql_close($dbLink); 
  
 header("Location: " . $_POST['page']); 
} 
?>

Open in new window

0
Comment
Question by:producer88
  • 14
  • 13
27 Comments
 
LVL 18

Expert Comment

by:Hube02
ID: 24115646
the following will effectively remove any html from a string (or anything that looks like html):

preg_replace('#</?\w[^>]*>#', '', $string);

I would also suggest that instead of trying to add slashes yourself to data to be inserted into a MySQL database that you should use the function mysql_real_escape_string() http://us2.php.net/manual/en/function.mysql-real-escape-string.php
This is a function that was designed to make data save for the database.
0
 

Author Comment

by:producer88
ID: 24115732
Thank you so much - but WHERE exactly does this go in the code I am using?
0
 
LVL 18

Expert Comment

by:Hube02
ID: 24115853
You could do

$comment = addslashes(preg_replace('#</?\w[^>]*>#', '', $_POST['frmComment']));

or if you wanted to ensure that all html what removed from all posted content you could do a loop before you set any values:

foreach ($_POST as $key => $value) {
  $_POST[$key] = preg_replace('#</?\w[^>]*>#', '', $value);
}
0
Active Directory Webinar

We all know we need to protect and secure our privileges, but where to start? Join Experts Exchange and ManageEngine on Tuesday, April 11, 2017 10:00 AM PDT to learn how to track and secure privileged users in Active Directory.

 

Author Comment

by:producer88
ID: 24116141
Okay - I entered the first code and it is still allowing javascript code to be entered - which then works in the comments box?!

Any idea what I might be doing wrong?
0
 
LVL 18

Expert Comment

by:Hube02
ID: 24116303
can you echo out the value of $_POST['frmComment'] before you do anything with it and then post what you get?

echo $_POST['frmComment']; die;

you may need to do a "view source" to see what is output. Perhaps there is something being put in there that is not being caught by the regex, though I don't see how.

For instance the attached code works fine for me:

<?php
 
$string = '<script type="text/javascript><p>test paragraph<span> this is a span</span></p></script>';
 
$string = preg_replace('#</?[a-z][^>]*>#i', '', $string);
 
echo $string;
 
?>

Open in new window

0
 

Author Comment

by:producer88
ID: 24116391
I am sorry, but I don't understand what you are suggesting I do - not that experienced at writing PHP code.

Here is the entire PHP code for the page&perhaps the upper porition that is counting characters has something to do with the reason it will not work for me?
<?php require_once("../../WA_ValidationToolkit/WAVT_Scripts_PHP.php"); ?>
<?php require_once("../../WA_ValidationToolkit/WAVT_ValidatedForm_PHP.php"); ?>
<?php 
if ($_SERVER["REQUEST_METHOD"] == "POST")  {
  $WAFV_Redirect = "comment_added.php";
  $_SESSION['WAVT_addcomment_Errors'] = "";
  if ($WAFV_Redirect == "")  {
    $WAFV_Redirect = $_SERVER["PHP_SELF"];
  }
  $WAFV_Errors = "";
  $WAFV_Errors .= WAValidateEL(((isset($_POST["frmComment"]))?$_POST["frmComment"]:"") . "",0,500,true,1);
 
  if ($WAFV_Errors != "")  {
    PostResult($WAFV_Redirect,$WAFV_Errors,"addcomment"); 
  }
}
?>
<?php  
require_once("dbConnection.php");  
if($_POST['Submit'] == "Add Comment"){ 
 
  
// Open Database Connection  
 $dbLink = mysql_connect($dbHost, $dbUser, $dbPass); 
 if (!$dbLink){ 
   die ("Database: Couldn`t connect to mySQL Server"); 
 } 
 mysql_select_db($dbName, $dbLink)  
  or die ("Database: Couldn`t open Database");  
 
 // Read data to insert into Database 
 if (!get_magic_quotes_gpc()) { 
  $name = addslashes($_POST['frmName']); 
$comment = addslashes(preg_replace('#</?\w[^>]*>#', '', $_POST['frmComment']));
$articleID = addslashes($_POST['frmArticleID']); 
 } else { 
  $name = $_POST['frmName']; 
  $comment = $_POST['frmComment']; 
  $articleID = $_POST['frmArticleID']; 
 }
 // Create Date Time Field 
 $dateTime = date("Y-m-d H:i:s"); 
  
  // Create SQL Query and Execute 
 $sql = "INSERT INTO comments (article,postDateTime,name,comment) 
VALUES ("; 
 $sql .= "'" . $articleID . "',"; 
 $sql .= "'" . $dateTime . "',"; 
 $sql .= "'" . $name . "',"; 
 $sql .= "'" . $comment . "'"; 
 $sql .= ")"; 
 mysql_query($sql,$dbLink); 
  
 // Close Database Connection  
 mysql_close($dbLink); 
  
 header("Location: " . $_POST['page']); 
} 
?> 

Open in new window

0
 
LVL 18

Expert Comment

by:Hube02
ID: 24116983
Add the attached code at the very top of the document the you posted. Run your form then view the source to the page and post what it give you. With this I will be able to have a better idea of exactly what you are dealing with.

What this will do is echo the contents of $_POST['frmComment'] to the browser. You will not be able to see the tags unless you view the page source.



<?php
 
if isset($_POST['frmComment']) {
  echo '('.$_POST['frmComment'].')'; die;
}
 
?>

Open in new window

0
 

Author Comment

by:producer88
ID: 24117058
Oops&doing that created a totally blank page - no source code at all.
0
 
LVL 18

Expert Comment

by:Hube02
ID: 24117125
Sorry, I missed a close parenthesis, try this

<?php
 
if isset($_POST['frmComment'])) {
  echo '('.$_POST['frmComment'].')'; die;
}
 
?>

Open in new window

0
 

Author Comment

by:producer88
ID: 24117936
Nope - that did the same thing&no code at all, blank page!
0
 
LVL 18

Expert Comment

by:Hube02
ID: 24117963
You know, some days I think my head is not screwed on quite right when I can't even type up a simple if statement without making numerous errors. Anyway, try this one.



<?php
 
if (isset($_POST['frmComment'])) {
  echo '('.$_POST['frmComment'].')'; die;
}
 
?>

Open in new window

0
 

Author Comment

by:producer88
ID: 24118067
No worries!  I just appreciate the help as this one is beyond me!

Okay - that still doesn't prevent javascript code from being input and working once it is&but here is the source code for the page.



  
 
<head>
<style type="text/css">
<!--
body {
	font-family: "Trebuchet MS", Arial, Helvetica, sans-serif;
	font-size: 12px;
	color: #FFF;
	background-repeat: no-repeat;
	margin-left: 0px;
	margin-top: 0px;
	background-color: #295c72;
}
#frmReview p {
	font-family: Verdana, Geneva, sans-serif;
	font-size: 11px;
	color: #FFF;
	text-align: left;
}
#comments_box {
	width: 380px;
}
a:link {
	color: #FC0;
	text-decoration: none;
}
a:visited {
	text-decoration: none;
}
a:hover {
	text-decoration: underline;
}
a:active {
	text-decoration: none;
}
-->
</style>
<script language=javascript>
//Edit the counter/limiter value as your wish
var count = "500";   //Example: var count = "175";
function limiter(){
var tex = document.frmReview.frmComment.value;
var len = tex.length;
if(len > count){
        tex = tex.substring(0,count);
        document.frmReview.frmComment.value =tex;
        return false;
}
document.frmReview.limit.value = count-len;
}
 
</script>
 
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"></head>
 
<body>
<div id="comments_box">Submit Your Video Review
  <form id="frmReview" name="frmReview" method="post" action="/01/includes/add_comment.php">
    <p>
      <label for="frmName">Name</label>
 
      
  <input name="frmName" type="text" id="Name" tabindex="10" size="40" />
      </p>
    <p>
      <label for="frmComment">Comment</label>
      <br />
      <textarea name="frmComment" cols="50" rows="3" id="Comment" tabindex="20" onkeyup=limiter()></textarea>
    </p>
    <p>
 
      <input type="hidden" name="frmArticleID" id="ArticleID" value=""/>
      <input type="hidden" name="page" id="page" value=""/>
  <script language=javascript>
document.write("<input type=text name=limit size=4 readonly value="+count+">");
</script> Characters left      
		<input type="submit" name="Submit" id="Submit" value="Add Comment" tabindex="30" />
 
    <a href = "javascript:history.back()">Back to Comments</a> </p>
 
  </form>
 
</div>
</body>
</html>

Open in new window

0
 

Author Comment

by:producer88
ID: 24118119
BTW - that last code did not enter anything into the database, but it did show the javascript code in the input window and did not redirect to the error page or back to the input form.
0
 
LVL 18

Expert Comment

by:Hube02
ID: 24118385
This isn't at all what I need to see. Somehow we are at cross purposes.

Lets try something else. Edit your section of code to look like the attached snippet, then try to submit your form and send me what is output to the browser. I need to see what is in the comment so I know how to remove it.



// Read data to insert into Database
  // this is the line we are adding to see what is in
  // $_POST['frmComment']
 echo htmlentities($_POST['frmComment']);die;
 if (!get_magic_quotes_gpc()) { 
  $name = addslashes($_POST['frmName']); 
  $comment = addslashes($_POST['frmComment']); 
  $articleID = addslashes($_POST['frmArticleID']); 
 } else { 
  $name = $_POST['frmName']; 
  $comment = $_POST['frmComment']; 
  $articleID = $_POST['frmArticleID']; 
 }

Open in new window

0
 

Author Comment

by:producer88
ID: 24118518
I am sorry - maybe this will help clarify what's going on!

COMMENTS BOX
http://www.dogvideolibrary.com/01/01_herding/call_comments1_test.php

Go to this URL with "click here to add comment"

When you click and add a comment - I need the user to be returned to the comments list (this URL above)

Both of these two docs reside in an iFrame inside a Flowplayer flash player info tab& Right now, it is working great - but allowing the input of javascript.  So some idiot could actually copy the "embed" code and stick it into the comments box - which someone did already!

Here is a link to the live files working on the site:  http://www.dogvideolibrary.com/01/02_basenji.php
0
 
LVL 18

Expert Comment

by:Hube02
ID: 24118674
this won't help me, I would need to be able to edit the code. I can't run your code locally because I don't have all the files and even if I could there would be differences because of the different servers.

What I really need to know is what the text is in the $_POST variable just before we attempt the preg_replace(). The only way to do this is to echo what is in that variable to the browser.

With that information I could make sure we are looking for the right thing.
0
 

Author Comment

by:producer88
ID: 24118713
Here is all the code for the page.  Is this what you need?  I had given this above.
<?php
 
if (isset($_POST['frmComment'])) {
  echo '('.$_POST['frmComment'].')'; die;
}
 
?>
<?php require_once("../../WA_ValidationToolkit/WAVT_Scripts_PHP.php"); ?>
<?php require_once("../../WA_ValidationToolkit/WAVT_ValidatedForm_PHP.php"); ?>
<?php 
if ($_SERVER["REQUEST_METHOD"] == "POST")  {
  $WAFV_Redirect = "comment_added.php";
  $_SESSION['WAVT_addcomment_Errors'] = "";
  if ($WAFV_Redirect == "")  {
    $WAFV_Redirect = $_SERVER["PHP_SELF"];
  }
  $WAFV_Errors = "";
  $WAFV_Errors .= WAValidateEL(((isset($_POST["frmComment"]))?$_POST["frmComment"]:"") . "",0,500,true,1);
 
  if ($WAFV_Errors != "")  {
    PostResult($WAFV_Redirect,$WAFV_Errors,"addcomment"); 
  }
}
?>
<?php  
require_once("dbConnection.php");  
if($_POST['Submit'] == "Add Comment"){ 
 
  
// Open Database Connection  
 $dbLink = mysql_connect($dbHost, $dbUser, $dbPass); 
 if (!$dbLink){ 
   die ("Database: Couldn`t connect to mySQL Server"); 
 } 
 mysql_select_db($dbName, $dbLink)  
  or die ("Database: Couldn`t open Database");  
 
 // Read data to insert into Database 
 if (!get_magic_quotes_gpc()) { 
  $name = addslashes($_POST['frmName']); 
$comment = addslashes(preg_replace('#</?\w[^>]*>#', '', $_POST['frmComment']));
$articleID = addslashes($_POST['frmArticleID']); 
 } else { 
  $name = $_POST['frmName']; 
  $comment = $_POST['frmComment']; 
  $articleID = $_POST['frmArticleID']; 
 }
 // Create Date Time Field 
 $dateTime = date("Y-m-d H:i:s"); 
  
  // Create SQL Query and Execute 
 $sql = "INSERT INTO comments (article,postDateTime,name,comment) 
VALUES ("; 
 $sql .= "'" . $articleID . "',"; 
 $sql .= "'" . $dateTime . "',"; 
 $sql .= "'" . $name . "',"; 
 $sql .= "'" . $comment . "'"; 
 $sql .= ")"; 
 mysql_query($sql,$dbLink); 
  
 // Close Database Connection  
 mysql_close($dbLink); 
  
 header("Location: " . $_POST['page']); 
} 
?> 
 
<head>
<style type="text/css">
<!--
body {
	font-family: "Trebuchet MS", Arial, Helvetica, sans-serif;
	font-size: 12px;
	color: #FFF;
	background-repeat: no-repeat;
	margin-left: 0px;
	margin-top: 0px;
	background-color: #295c72;
}
#frmReview p {
	font-family: Verdana, Geneva, sans-serif;
	font-size: 11px;
	color: #FFF;
	text-align: left;
}
#comments_box {
	width: 380px;
}
a:link {
	color: #FC0;
	text-decoration: none;
}
a:visited {
	text-decoration: none;
}
a:hover {
	text-decoration: underline;
}
a:active {
	text-decoration: none;
}
-->
</style>
<script language=javascript>
//Edit the counter/limiter value as your wish
var count = "500";   //Example: var count = "175";
function limiter(){
var tex = document.frmReview.frmComment.value;
var len = tex.length;
if(len > count){
        tex = tex.substring(0,count);
        document.frmReview.frmComment.value =tex;
        return false;
}
document.frmReview.limit.value = count-len;
}
 
</script>
 
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"></head>
 
<body>
<div id="comments_box">Submit Your Video Review
  <form id="frmReview" name="frmReview" method="post" action="<?php echo $_SERVER['PHP_SELF']; ?>">
    <p>
      <label for="frmName">Name</label>
      
  <input name="frmName" type="text" id="Name" tabindex="10" size="40" />
      </p>
    <p>
      <label for="frmComment">Comment</label>
      <br />
      <textarea name="frmComment" cols="50" rows="3" id="Comment" tabindex="20" onkeyup=limiter()></textarea>
    </p>
    <p>
      <input type="hidden" name="frmArticleID" id="ArticleID" value="<?php echo $_GET['id']; ?>"/>
      <input type="hidden" name="page" id="page" value="<?php echo $_GET['page']; ?>"/>
  <script language=javascript>
document.write("<input type=text name=limit size=4 readonly value="+count+">");
</script> Characters left      
		<input type="submit" name="Submit" id="Submit" value="Add Comment" tabindex="30" />
 
    <a href = "javascript:history.back()">Back to Comments</a> </p>
 
  </form>
</div>
</body>
</html>

Open in new window

0
 
LVL 18

Expert Comment

by:Hube02
ID: 24119160
change your code to the following and then try to submit the form then copy and paste what you get.

<?php require_once("../../WA_ValidationToolkit/WAVT_Scripts_PHP.php"); ?>
<?php require_once("../../WA_ValidationToolkit/WAVT_ValidatedForm_PHP.php"); ?>
<?php 
if ($_SERVER["REQUEST_METHOD"] == "POST")  {
  $WAFV_Redirect = "comment_added.php";
  $_SESSION['WAVT_addcomment_Errors'] = "";
  if ($WAFV_Redirect == "")  {
    $WAFV_Redirect = $_SERVER["PHP_SELF"];
  }
  $WAFV_Errors = "";
  $WAFV_Errors .= WAValidateEL(((isset($_POST["frmComment"]))?$_POST["frmComment"]:"") . "",0,500,true,1);
 
  if ($WAFV_Errors != "")  {
    PostResult($WAFV_Redirect,$WAFV_Errors,"addcomment"); 
  }
}
?>
<?php  
require_once("dbConnection.php");  
if($_POST['Submit'] == "Add Comment"){ 
 
  
// Open Database Connection  
 $dbLink = mysql_connect($dbHost, $dbUser, $dbPass); 
 if (!$dbLink){ 
   die ("Database: Couldn`t connect to mySQL Server"); 
 } 
 mysql_select_db($dbName, $dbLink)  
  or die ("Database: Couldn`t open Database");  
 
 // Read data to insert into Database 
 
// add this
 echo htmlentities($_POST['frmComment']);die;
 
 if (!get_magic_quotes_gpc()) { 
  $name = addslashes($_POST['frmName']); 
$comment = addslashes(preg_replace('#</?\w[^>]*>#', '', $_POST['frmComment']));
$articleID = addslashes($_POST['frmArticleID']); 
 } else { 
  $name = $_POST['frmName']; 
  $comment = $_POST['frmComment']; 
  $articleID = $_POST['frmArticleID']; 
 }
 // Create Date Time Field 
 $dateTime = date("Y-m-d H:i:s"); 
  
  // Create SQL Query and Execute 
 $sql = "INSERT INTO comments (article,postDateTime,name,comment) 
VALUES ("; 
 $sql .= "'" . $articleID . "',"; 
 $sql .= "'" . $dateTime . "',"; 
 $sql .= "'" . $name . "',"; 
 $sql .= "'" . $comment . "'"; 
 $sql .= ")"; 
 mysql_query($sql,$dbLink); 
  
 // Close Database Connection  
 mysql_close($dbLink); 
  
 header("Location: " . $_POST['page']); 
} 
?> 
 
<head>
<style type="text/css">
<!--
body {
	font-family: "Trebuchet MS", Arial, Helvetica, sans-serif;
	font-size: 12px;
	color: #FFF;
	background-repeat: no-repeat;
	margin-left: 0px;
	margin-top: 0px;
	background-color: #295c72;
}
#frmReview p {
	font-family: Verdana, Geneva, sans-serif;
	font-size: 11px;
	color: #FFF;
	text-align: left;
}
#comments_box {
	width: 380px;
}
a:link {
	color: #FC0;
	text-decoration: none;
}
a:visited {
	text-decoration: none;
}
a:hover {
	text-decoration: underline;
}
a:active {
	text-decoration: none;
}
-->
</style>
<script language=javascript>
//Edit the counter/limiter value as your wish
var count = "500";   //Example: var count = "175";
function limiter(){
var tex = document.frmReview.frmComment.value;
var len = tex.length;
if(len > count){
        tex = tex.substring(0,count);
        document.frmReview.frmComment.value =tex;
        return false;
}
document.frmReview.limit.value = count-len;
}
 
</script>
 
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"></head>
 
<body>
<div id="comments_box">Submit Your Video Review
  <form id="frmReview" name="frmReview" method="post" action="<?php echo $_SERVER['PHP_SELF']; ?>">
    <p>
      <label for="frmName">Name</label>
      
  <input name="frmName" type="text" id="Name" tabindex="10" size="40" />
      </p>
    <p>
      <label for="frmComment">Comment</label>
      <br />
      <textarea name="frmComment" cols="50" rows="3" id="Comment" tabindex="20" onkeyup=limiter()></textarea>
    </p>
    <p>
      <input type="hidden" name="frmArticleID" id="ArticleID" value="<?php echo $_GET['id']; ?>"/>
      <input type="hidden" name="page" id="page" value="<?php echo $_GET['page']; ?>"/>
  <script language=javascript>
document.write("<input type=text name=limit size=4 readonly value="+count+">");
</script> Characters left      
		<input type="submit" name="Submit" id="Submit" value="Add Comment" tabindex="30" />
 
    <a href = "javascript:history.back()">Back to Comments</a> </p>
 
  </form>
</div>
</body>
</html>

Open in new window

0
 
LVL 18

Expert Comment

by:Hube02
ID: 24119165
just so that you know what has changed, I removed the code from the beginning that I told you to add and I added the line that is at line 34 in the above posted code.
0
 

Author Comment

by:producer88
ID: 24119752
thanks so much for all your time today.  I must step away from the computer and tend to family holiday issues now.  Will get back to this tomorrow and hope that you will continue to work me thru until we get it going right!  Hope you have a nice evening.
0
 

Author Comment

by:producer88
ID: 24187298
I do apologize for taking so long to get back to this problem.  I have tried the code above and what happens is this:

When javascript code is entered in the comment box, all code on the entire page is replaced by this javascript line of code.  Literally, the view source shows the following:

 <a href = \&quot;javascript:history.back()\&quot;>Back to Comments</a>

which is what was entered into the comments box and submitted.

Thank you again for your patience as I continue to try to resolve the issue.  I hope this helps!
0
 
LVL 18

Expert Comment

by:Hube02
ID: 24187572
That's exactly what's suppose to happen because of this line: (line 34 of the code I posted)  

echo htmlentities($_POST['frmComment']);die;

Now I can see what the actual code you are trying to eliminate looks like.

What I need to know is it you want to disallow all links or just links with javascript in them?

0
 
LVL 18

Expert Comment

by:Hube02
ID: 24187598
But we are trying to remove HTML and the code I posted should remove the link completely, let me look at this again....
0
 

Author Comment

by:producer88
ID: 24187663
Yes, it removes the link and code - but it does away with the code I had that would put the user back to the comments list, or a blank comment entry box.  This is just bouncing user back to a page with only the text entered on it.
0
 
LVL 18

Accepted Solution

by:
Hube02 earned 500 total points
ID: 24189545
This last one adds the preg_replace to both places there the $comment value is set. This should remove the html from the input.

Let me know

<?php require_once("../../WA_ValidationToolkit/WAVT_Scripts_PHP.php"); ?>
<?php require_once("../../WA_ValidationToolkit/WAVT_ValidatedForm_PHP.php"); ?>
<?php 
if ($_SERVER["REQUEST_METHOD"] == "POST")  {
  $WAFV_Redirect = "comment_added.php";
  $_SESSION['WAVT_addcomment_Errors'] = "";
  if ($WAFV_Redirect == "")  {
    $WAFV_Redirect = $_SERVER["PHP_SELF"];
  }
  $WAFV_Errors = "";
  $WAFV_Errors .= WAValidateEL(((isset($_POST["frmComment"]))?$_POST["frmComment"]:"") . "",0,500,true,1);
 
  if ($WAFV_Errors != "")  {
    PostResult($WAFV_Redirect,$WAFV_Errors,"addcomment"); 
  }
}
?>
<?php  
require_once("dbConnection.php");  
if($_POST['Submit'] == "Add Comment"){ 
 
  
// Open Database Connection  
 $dbLink = mysql_connect($dbHost, $dbUser, $dbPass); 
 if (!$dbLink){ 
   die ("Database: Couldn`t connect to mySQL Server"); 
 } 
 mysql_select_db($dbName, $dbLink)  
  or die ("Database: Couldn`t open Database");  
 
 // Read data to insert into Database 
 
 if (!get_magic_quotes_gpc()) { 
  $name = addslashes($_POST['frmName']); 
$comment = addslashes(preg_replace('#</?\w[^>]*>#', '', $_POST['frmComment']));
$articleID = addslashes($_POST['frmArticleID']); 
 } else { 
  $name = $_POST['frmName']; 
  $comment = preg_replace('#</?\w[^>]*>#', '', $_POST['frmComment']); 
  $articleID = $_POST['frmArticleID']; 
 }
 // Create Date Time Field 
 $dateTime = date("Y-m-d H:i:s"); 
  
  // Create SQL Query and Execute 
 $sql = "INSERT INTO comments (article,postDateTime,name,comment) 
VALUES ("; 
 $sql .= "'" . $articleID . "',"; 
 $sql .= "'" . $dateTime . "',"; 
 $sql .= "'" . $name . "',"; 
 $sql .= "'" . $comment . "'"; 
 $sql .= ")"; 
 mysql_query($sql,$dbLink); 
  
 // Close Database Connection  
 mysql_close($dbLink); 
  
 header("Location: " . $_POST['page']); 
} 
?> 
 
<head>
<style type="text/css">
<!--
body {
	font-family: "Trebuchet MS", Arial, Helvetica, sans-serif;
	font-size: 12px;
	color: #FFF;
	background-repeat: no-repeat;
	margin-left: 0px;
	margin-top: 0px;
	background-color: #295c72;
}
#frmReview p {
	font-family: Verdana, Geneva, sans-serif;
	font-size: 11px;
	color: #FFF;
	text-align: left;
}
#comments_box {
	width: 380px;
}
a:link {
	color: #FC0;
	text-decoration: none;
}
a:visited {
	text-decoration: none;
}
a:hover {
	text-decoration: underline;
}
a:active {
	text-decoration: none;
}
-->
</style>
<script language=javascript>
//Edit the counter/limiter value as your wish
var count = "500";   //Example: var count = "175";
function limiter(){
var tex = document.frmReview.frmComment.value;
var len = tex.length;
if(len > count){
        tex = tex.substring(0,count);
        document.frmReview.frmComment.value =tex;
        return false;
}
document.frmReview.limit.value = count-len;
}
 
</script>
 
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"></head>
 
<body>
<div id="comments_box">Submit Your Video Review
  <form id="frmReview" name="frmReview" method="post" action="<?php echo $_SERVER['PHP_SELF']; ?>">
    <p>
      <label for="frmName">Name</label>
      
  <input name="frmName" type="text" id="Name" tabindex="10" size="40" />
      </p>
    <p>
      <label for="frmComment">Comment</label>
      <br />
      <textarea name="frmComment" cols="50" rows="3" id="Comment" tabindex="20" onkeyup=limiter()></textarea>
    </p>
    <p>
      <input type="hidden" name="frmArticleID" id="ArticleID" value="<?php echo $_GET['id']; ?>"/>
      <input type="hidden" name="page" id="page" value="<?php echo $_GET['page']; ?>"/>
  <script language=javascript>
document.write("<input type=text name=limit size=4 readonly value="+count+">");
</script> Characters left      
		<input type="submit" name="Submit" id="Submit" value="Add Comment" tabindex="30" />
 
    <a href = "javascript:history.back()">Back to Comments</a> </p>
 
  </form>
</div>
</body>
</html>

Open in new window

0
 

Author Comment

by:producer88
ID: 24192327
Oh, I am so happy!  That appears to be working perfectly!  I entered the javascript code and it stripped out the code, left only the text and sent me back to the list of comments!

THANK YOU SO MUCH!  I appreciate your patience and your expertise in helping me resolve this issue.
0
 

Author Closing Comment

by:producer88
ID: 31568882
Excellent job, thanks for your patience and expertise!
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
PHP query / monitor data from Telnet to MySQL 7 50
Wordpress French and English Site 6 77
Dynamic Dropdowns 15 32
Checking https returns 301 21 27
Foreword (July, 2015) Since I first wrote this article, years ago, a great many more people have begun using the internet.  They are coming online from every part of the globe, learning, reading, shopping and spending money at an ever-increasing ra…
3 proven steps to speed up Magento powered sites. The article focus is on optimizing time to first byte (TTFB), full page caching and configuring server for optimal performance.
The viewer will learn how to look for a specific file type in a local or remote server directory using PHP.
This tutorial will teach you the core code needed to finalize the addition of a watermark to your image. The viewer will use a small PHP class to learn and create a watermark.

831 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question