Solved

How to strip HTML from text input field

Posted on 2009-04-10
27
592 Views
Last Modified: 2013-12-12
I need help altering my code to remove HTML formatting that might be entered into a comments box.  Here is the code being used to submit the form.
<?php  

require_once("dbConnection.php");  

if($_POST['Submit'] == "Add Comment"){ 
 

  

// Open Database Connection  

 $dbLink = mysql_connect($dbHost, $dbUser, $dbPass); 

 if (!$dbLink){ 

   die ("Database: Couldn`t connect to mySQL Server"); 

 } 

 mysql_select_db($dbName, $dbLink)  

  or die ("Database: Couldn`t open Database");  

 

 // Read data to insert into Database 

 if (!get_magic_quotes_gpc()) { 

  $name = addslashes($_POST['frmName']); 

  $comment = addslashes($_POST['frmComment']); 

  $articleID = addslashes($_POST['frmArticleID']); 

 } else { 

  $name = $_POST['frmName']; 

  $comment = $_POST['frmComment']; 

  $articleID = $_POST['frmArticleID']; 

 }

 // Create Date Time Field 

 $dateTime = date("Y-m-d H:i:s"); 

  

  // Create SQL Query and Execute 

 $sql = "INSERT INTO comments (article,postDateTime,name,comment) 

VALUES ("; 

 $sql .= "'" . $articleID . "',"; 

 $sql .= "'" . $dateTime . "',"; 

 $sql .= "'" . $name . "',"; 

 $sql .= "'" . $comment . "'"; 

 $sql .= ")"; 

 mysql_query($sql,$dbLink); 

  

 // Close Database Connection  

 mysql_close($dbLink); 

  

 header("Location: " . $_POST['page']); 

} 

?>

Open in new window

0
Comment
Question by:producer88
  • 14
  • 13
27 Comments
 
LVL 18

Expert Comment

by:Hube02
Comment Utility
the following will effectively remove any html from a string (or anything that looks like html):

preg_replace('#</?\w[^>]*>#', '', $string);

I would also suggest that instead of trying to add slashes yourself to data to be inserted into a MySQL database that you should use the function mysql_real_escape_string() http://us2.php.net/manual/en/function.mysql-real-escape-string.php
This is a function that was designed to make data save for the database.
0
 

Author Comment

by:producer88
Comment Utility
Thank you so much - but WHERE exactly does this go in the code I am using?
0
 
LVL 18

Expert Comment

by:Hube02
Comment Utility
You could do

$comment = addslashes(preg_replace('#</?\w[^>]*>#', '', $_POST['frmComment']));

or if you wanted to ensure that all html what removed from all posted content you could do a loop before you set any values:

foreach ($_POST as $key => $value) {
  $_POST[$key] = preg_replace('#</?\w[^>]*>#', '', $value);
}
0
 

Author Comment

by:producer88
Comment Utility
Okay - I entered the first code and it is still allowing javascript code to be entered - which then works in the comments box?!

Any idea what I might be doing wrong?
0
 
LVL 18

Expert Comment

by:Hube02
Comment Utility
can you echo out the value of $_POST['frmComment'] before you do anything with it and then post what you get?

echo $_POST['frmComment']; die;

you may need to do a "view source" to see what is output. Perhaps there is something being put in there that is not being caught by the regex, though I don't see how.

For instance the attached code works fine for me:

<?php
 

$string = '<script type="text/javascript><p>test paragraph<span> this is a span</span></p></script>';
 

$string = preg_replace('#</?[a-z][^>]*>#i', '', $string);
 

echo $string;
 

?>

Open in new window

0
 

Author Comment

by:producer88
Comment Utility
I am sorry, but I don't understand what you are suggesting I do - not that experienced at writing PHP code.

Here is the entire PHP code for the page&perhaps the upper porition that is counting characters has something to do with the reason it will not work for me?
<?php require_once("../../WA_ValidationToolkit/WAVT_Scripts_PHP.php"); ?>

<?php require_once("../../WA_ValidationToolkit/WAVT_ValidatedForm_PHP.php"); ?>

<?php 

if ($_SERVER["REQUEST_METHOD"] == "POST")  {

  $WAFV_Redirect = "comment_added.php";

  $_SESSION['WAVT_addcomment_Errors'] = "";

  if ($WAFV_Redirect == "")  {

    $WAFV_Redirect = $_SERVER["PHP_SELF"];

  }

  $WAFV_Errors = "";

  $WAFV_Errors .= WAValidateEL(((isset($_POST["frmComment"]))?$_POST["frmComment"]:"") . "",0,500,true,1);
 

  if ($WAFV_Errors != "")  {

    PostResult($WAFV_Redirect,$WAFV_Errors,"addcomment"); 

  }

}

?>

<?php  

require_once("dbConnection.php");  

if($_POST['Submit'] == "Add Comment"){ 
 

  

// Open Database Connection  

 $dbLink = mysql_connect($dbHost, $dbUser, $dbPass); 

 if (!$dbLink){ 

   die ("Database: Couldn`t connect to mySQL Server"); 

 } 

 mysql_select_db($dbName, $dbLink)  

  or die ("Database: Couldn`t open Database");  

 

 // Read data to insert into Database 

 if (!get_magic_quotes_gpc()) { 

  $name = addslashes($_POST['frmName']); 

$comment = addslashes(preg_replace('#</?\w[^>]*>#', '', $_POST['frmComment']));

$articleID = addslashes($_POST['frmArticleID']); 

 } else { 

  $name = $_POST['frmName']; 

  $comment = $_POST['frmComment']; 

  $articleID = $_POST['frmArticleID']; 

 }

 // Create Date Time Field 

 $dateTime = date("Y-m-d H:i:s"); 

  

  // Create SQL Query and Execute 

 $sql = "INSERT INTO comments (article,postDateTime,name,comment) 

VALUES ("; 

 $sql .= "'" . $articleID . "',"; 

 $sql .= "'" . $dateTime . "',"; 

 $sql .= "'" . $name . "',"; 

 $sql .= "'" . $comment . "'"; 

 $sql .= ")"; 

 mysql_query($sql,$dbLink); 

  

 // Close Database Connection  

 mysql_close($dbLink); 

  

 header("Location: " . $_POST['page']); 

} 

?> 

Open in new window

0
 
LVL 18

Expert Comment

by:Hube02
Comment Utility
Add the attached code at the very top of the document the you posted. Run your form then view the source to the page and post what it give you. With this I will be able to have a better idea of exactly what you are dealing with.

What this will do is echo the contents of $_POST['frmComment'] to the browser. You will not be able to see the tags unless you view the page source.



<?php
 

if isset($_POST['frmComment']) {

  echo '('.$_POST['frmComment'].')'; die;

}
 

?>

Open in new window

0
 

Author Comment

by:producer88
Comment Utility
Oops&doing that created a totally blank page - no source code at all.
0
 
LVL 18

Expert Comment

by:Hube02
Comment Utility
Sorry, I missed a close parenthesis, try this

<?php

 

if isset($_POST['frmComment'])) {

  echo '('.$_POST['frmComment'].')'; die;

}

 

?>

Open in new window

0
 

Author Comment

by:producer88
Comment Utility
Nope - that did the same thing&no code at all, blank page!
0
 
LVL 18

Expert Comment

by:Hube02
Comment Utility
You know, some days I think my head is not screwed on quite right when I can't even type up a simple if statement without making numerous errors. Anyway, try this one.



<?php

 

if (isset($_POST['frmComment'])) {

  echo '('.$_POST['frmComment'].')'; die;

}

 

?>

Open in new window

0
 

Author Comment

by:producer88
Comment Utility
No worries!  I just appreciate the help as this one is beyond me!

Okay - that still doesn't prevent javascript code from being input and working once it is&but here is the source code for the page.



  
 

<head>

<style type="text/css">

<!--

body {

	font-family: "Trebuchet MS", Arial, Helvetica, sans-serif;

	font-size: 12px;

	color: #FFF;

	background-repeat: no-repeat;

	margin-left: 0px;

	margin-top: 0px;

	background-color: #295c72;

}

#frmReview p {

	font-family: Verdana, Geneva, sans-serif;

	font-size: 11px;

	color: #FFF;

	text-align: left;

}

#comments_box {

	width: 380px;

}

a:link {

	color: #FC0;

	text-decoration: none;

}

a:visited {

	text-decoration: none;

}

a:hover {

	text-decoration: underline;

}

a:active {

	text-decoration: none;

}

-->

</style>

<script language=javascript>

//Edit the counter/limiter value as your wish

var count = "500";   //Example: var count = "175";

function limiter(){

var tex = document.frmReview.frmComment.value;

var len = tex.length;

if(len > count){

        tex = tex.substring(0,count);

        document.frmReview.frmComment.value =tex;

        return false;

}

document.frmReview.limit.value = count-len;

}
 

</script>
 

<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"></head>
 

<body>

<div id="comments_box">Submit Your Video Review

  <form id="frmReview" name="frmReview" method="post" action="/01/includes/add_comment.php">

    <p>

      <label for="frmName">Name</label>
 

      

  <input name="frmName" type="text" id="Name" tabindex="10" size="40" />

      </p>

    <p>

      <label for="frmComment">Comment</label>

      <br />

      <textarea name="frmComment" cols="50" rows="3" id="Comment" tabindex="20" onkeyup=limiter()></textarea>

    </p>

    <p>
 

      <input type="hidden" name="frmArticleID" id="ArticleID" value=""/>

      <input type="hidden" name="page" id="page" value=""/>

  <script language=javascript>

document.write("<input type=text name=limit size=4 readonly value="+count+">");

</script> Characters left      

		<input type="submit" name="Submit" id="Submit" value="Add Comment" tabindex="30" />
 

    <a href = "javascript:history.back()">Back to Comments</a> </p>
 

  </form>
 

</div>

</body>

</html>

Open in new window

0
 

Author Comment

by:producer88
Comment Utility
BTW - that last code did not enter anything into the database, but it did show the javascript code in the input window and did not redirect to the error page or back to the input form.
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 
LVL 18

Expert Comment

by:Hube02
Comment Utility
This isn't at all what I need to see. Somehow we are at cross purposes.

Lets try something else. Edit your section of code to look like the attached snippet, then try to submit your form and send me what is output to the browser. I need to see what is in the comment so I know how to remove it.



// Read data to insert into Database

  // this is the line we are adding to see what is in

  // $_POST['frmComment']

 echo htmlentities($_POST['frmComment']);die;

 if (!get_magic_quotes_gpc()) { 

  $name = addslashes($_POST['frmName']); 

  $comment = addslashes($_POST['frmComment']); 

  $articleID = addslashes($_POST['frmArticleID']); 

 } else { 

  $name = $_POST['frmName']; 

  $comment = $_POST['frmComment']; 

  $articleID = $_POST['frmArticleID']; 

 }

Open in new window

0
 

Author Comment

by:producer88
Comment Utility
I am sorry - maybe this will help clarify what's going on!

COMMENTS BOX
http://www.dogvideolibrary.com/01/01_herding/call_comments1_test.php

Go to this URL with "click here to add comment"

When you click and add a comment - I need the user to be returned to the comments list (this URL above)

Both of these two docs reside in an iFrame inside a Flowplayer flash player info tab& Right now, it is working great - but allowing the input of javascript.  So some idiot could actually copy the "embed" code and stick it into the comments box - which someone did already!

Here is a link to the live files working on the site:  http://www.dogvideolibrary.com/01/02_basenji.php
0
 
LVL 18

Expert Comment

by:Hube02
Comment Utility
this won't help me, I would need to be able to edit the code. I can't run your code locally because I don't have all the files and even if I could there would be differences because of the different servers.

What I really need to know is what the text is in the $_POST variable just before we attempt the preg_replace(). The only way to do this is to echo what is in that variable to the browser.

With that information I could make sure we are looking for the right thing.
0
 

Author Comment

by:producer88
Comment Utility
Here is all the code for the page.  Is this what you need?  I had given this above.
<?php

 

if (isset($_POST['frmComment'])) {

  echo '('.$_POST['frmComment'].')'; die;

}

 

?>

<?php require_once("../../WA_ValidationToolkit/WAVT_Scripts_PHP.php"); ?>

<?php require_once("../../WA_ValidationToolkit/WAVT_ValidatedForm_PHP.php"); ?>

<?php 

if ($_SERVER["REQUEST_METHOD"] == "POST")  {

  $WAFV_Redirect = "comment_added.php";

  $_SESSION['WAVT_addcomment_Errors'] = "";

  if ($WAFV_Redirect == "")  {

    $WAFV_Redirect = $_SERVER["PHP_SELF"];

  }

  $WAFV_Errors = "";

  $WAFV_Errors .= WAValidateEL(((isset($_POST["frmComment"]))?$_POST["frmComment"]:"") . "",0,500,true,1);
 

  if ($WAFV_Errors != "")  {

    PostResult($WAFV_Redirect,$WAFV_Errors,"addcomment"); 

  }

}

?>

<?php  

require_once("dbConnection.php");  

if($_POST['Submit'] == "Add Comment"){ 
 

  

// Open Database Connection  

 $dbLink = mysql_connect($dbHost, $dbUser, $dbPass); 

 if (!$dbLink){ 

   die ("Database: Couldn`t connect to mySQL Server"); 

 } 

 mysql_select_db($dbName, $dbLink)  

  or die ("Database: Couldn`t open Database");  

 

 // Read data to insert into Database 

 if (!get_magic_quotes_gpc()) { 

  $name = addslashes($_POST['frmName']); 

$comment = addslashes(preg_replace('#</?\w[^>]*>#', '', $_POST['frmComment']));

$articleID = addslashes($_POST['frmArticleID']); 

 } else { 

  $name = $_POST['frmName']; 

  $comment = $_POST['frmComment']; 

  $articleID = $_POST['frmArticleID']; 

 }

 // Create Date Time Field 

 $dateTime = date("Y-m-d H:i:s"); 

  

  // Create SQL Query and Execute 

 $sql = "INSERT INTO comments (article,postDateTime,name,comment) 

VALUES ("; 

 $sql .= "'" . $articleID . "',"; 

 $sql .= "'" . $dateTime . "',"; 

 $sql .= "'" . $name . "',"; 

 $sql .= "'" . $comment . "'"; 

 $sql .= ")"; 

 mysql_query($sql,$dbLink); 

  

 // Close Database Connection  

 mysql_close($dbLink); 

  

 header("Location: " . $_POST['page']); 

} 

?> 
 

<head>

<style type="text/css">

<!--

body {

	font-family: "Trebuchet MS", Arial, Helvetica, sans-serif;

	font-size: 12px;

	color: #FFF;

	background-repeat: no-repeat;

	margin-left: 0px;

	margin-top: 0px;

	background-color: #295c72;

}

#frmReview p {

	font-family: Verdana, Geneva, sans-serif;

	font-size: 11px;

	color: #FFF;

	text-align: left;

}

#comments_box {

	width: 380px;

}

a:link {

	color: #FC0;

	text-decoration: none;

}

a:visited {

	text-decoration: none;

}

a:hover {

	text-decoration: underline;

}

a:active {

	text-decoration: none;

}

-->

</style>

<script language=javascript>

//Edit the counter/limiter value as your wish

var count = "500";   //Example: var count = "175";

function limiter(){

var tex = document.frmReview.frmComment.value;

var len = tex.length;

if(len > count){

        tex = tex.substring(0,count);

        document.frmReview.frmComment.value =tex;

        return false;

}

document.frmReview.limit.value = count-len;

}
 

</script>
 

<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"></head>
 

<body>

<div id="comments_box">Submit Your Video Review

  <form id="frmReview" name="frmReview" method="post" action="<?php echo $_SERVER['PHP_SELF']; ?>">

    <p>

      <label for="frmName">Name</label>

      

  <input name="frmName" type="text" id="Name" tabindex="10" size="40" />

      </p>

    <p>

      <label for="frmComment">Comment</label>

      <br />

      <textarea name="frmComment" cols="50" rows="3" id="Comment" tabindex="20" onkeyup=limiter()></textarea>

    </p>

    <p>

      <input type="hidden" name="frmArticleID" id="ArticleID" value="<?php echo $_GET['id']; ?>"/>

      <input type="hidden" name="page" id="page" value="<?php echo $_GET['page']; ?>"/>

  <script language=javascript>

document.write("<input type=text name=limit size=4 readonly value="+count+">");

</script> Characters left      

		<input type="submit" name="Submit" id="Submit" value="Add Comment" tabindex="30" />
 

    <a href = "javascript:history.back()">Back to Comments</a> </p>
 

  </form>

</div>

</body>

</html>

Open in new window

0
 
LVL 18

Expert Comment

by:Hube02
Comment Utility
change your code to the following and then try to submit the form then copy and paste what you get.

<?php require_once("../../WA_ValidationToolkit/WAVT_Scripts_PHP.php"); ?>

<?php require_once("../../WA_ValidationToolkit/WAVT_ValidatedForm_PHP.php"); ?>

<?php 

if ($_SERVER["REQUEST_METHOD"] == "POST")  {

  $WAFV_Redirect = "comment_added.php";

  $_SESSION['WAVT_addcomment_Errors'] = "";

  if ($WAFV_Redirect == "")  {

    $WAFV_Redirect = $_SERVER["PHP_SELF"];

  }

  $WAFV_Errors = "";

  $WAFV_Errors .= WAValidateEL(((isset($_POST["frmComment"]))?$_POST["frmComment"]:"") . "",0,500,true,1);

 

  if ($WAFV_Errors != "")  {

    PostResult($WAFV_Redirect,$WAFV_Errors,"addcomment"); 

  }

}

?>

<?php  

require_once("dbConnection.php");  

if($_POST['Submit'] == "Add Comment"){ 

 

  

// Open Database Connection  

 $dbLink = mysql_connect($dbHost, $dbUser, $dbPass); 

 if (!$dbLink){ 

   die ("Database: Couldn`t connect to mySQL Server"); 

 } 

 mysql_select_db($dbName, $dbLink)  

  or die ("Database: Couldn`t open Database");  

 

 // Read data to insert into Database 
 

// add this

 echo htmlentities($_POST['frmComment']);die;
 

 if (!get_magic_quotes_gpc()) { 

  $name = addslashes($_POST['frmName']); 

$comment = addslashes(preg_replace('#</?\w[^>]*>#', '', $_POST['frmComment']));

$articleID = addslashes($_POST['frmArticleID']); 

 } else { 

  $name = $_POST['frmName']; 

  $comment = $_POST['frmComment']; 

  $articleID = $_POST['frmArticleID']; 

 }

 // Create Date Time Field 

 $dateTime = date("Y-m-d H:i:s"); 

  

  // Create SQL Query and Execute 

 $sql = "INSERT INTO comments (article,postDateTime,name,comment) 

VALUES ("; 

 $sql .= "'" . $articleID . "',"; 

 $sql .= "'" . $dateTime . "',"; 

 $sql .= "'" . $name . "',"; 

 $sql .= "'" . $comment . "'"; 

 $sql .= ")"; 

 mysql_query($sql,$dbLink); 

  

 // Close Database Connection  

 mysql_close($dbLink); 

  

 header("Location: " . $_POST['page']); 

} 

?> 

 

<head>

<style type="text/css">

<!--

body {

	font-family: "Trebuchet MS", Arial, Helvetica, sans-serif;

	font-size: 12px;

	color: #FFF;

	background-repeat: no-repeat;

	margin-left: 0px;

	margin-top: 0px;

	background-color: #295c72;

}

#frmReview p {

	font-family: Verdana, Geneva, sans-serif;

	font-size: 11px;

	color: #FFF;

	text-align: left;

}

#comments_box {

	width: 380px;

}

a:link {

	color: #FC0;

	text-decoration: none;

}

a:visited {

	text-decoration: none;

}

a:hover {

	text-decoration: underline;

}

a:active {

	text-decoration: none;

}

-->

</style>

<script language=javascript>

//Edit the counter/limiter value as your wish

var count = "500";   //Example: var count = "175";

function limiter(){

var tex = document.frmReview.frmComment.value;

var len = tex.length;

if(len > count){

        tex = tex.substring(0,count);

        document.frmReview.frmComment.value =tex;

        return false;

}

document.frmReview.limit.value = count-len;

}

 

</script>

 

<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"></head>

 

<body>

<div id="comments_box">Submit Your Video Review

  <form id="frmReview" name="frmReview" method="post" action="<?php echo $_SERVER['PHP_SELF']; ?>">

    <p>

      <label for="frmName">Name</label>

      

  <input name="frmName" type="text" id="Name" tabindex="10" size="40" />

      </p>

    <p>

      <label for="frmComment">Comment</label>

      <br />

      <textarea name="frmComment" cols="50" rows="3" id="Comment" tabindex="20" onkeyup=limiter()></textarea>

    </p>

    <p>

      <input type="hidden" name="frmArticleID" id="ArticleID" value="<?php echo $_GET['id']; ?>"/>

      <input type="hidden" name="page" id="page" value="<?php echo $_GET['page']; ?>"/>

  <script language=javascript>

document.write("<input type=text name=limit size=4 readonly value="+count+">");

</script> Characters left      

		<input type="submit" name="Submit" id="Submit" value="Add Comment" tabindex="30" />

 

    <a href = "javascript:history.back()">Back to Comments</a> </p>

 

  </form>

</div>

</body>

</html>

Open in new window

0
 
LVL 18

Expert Comment

by:Hube02
Comment Utility
just so that you know what has changed, I removed the code from the beginning that I told you to add and I added the line that is at line 34 in the above posted code.
0
 

Author Comment

by:producer88
Comment Utility
thanks so much for all your time today.  I must step away from the computer and tend to family holiday issues now.  Will get back to this tomorrow and hope that you will continue to work me thru until we get it going right!  Hope you have a nice evening.
0
 

Author Comment

by:producer88
Comment Utility
I do apologize for taking so long to get back to this problem.  I have tried the code above and what happens is this:

When javascript code is entered in the comment box, all code on the entire page is replaced by this javascript line of code.  Literally, the view source shows the following:

 <a href = \&quot;javascript:history.back()\&quot;>Back to Comments</a>

which is what was entered into the comments box and submitted.

Thank you again for your patience as I continue to try to resolve the issue.  I hope this helps!
0
 
LVL 18

Expert Comment

by:Hube02
Comment Utility
That's exactly what's suppose to happen because of this line: (line 34 of the code I posted)  

echo htmlentities($_POST['frmComment']);die;

Now I can see what the actual code you are trying to eliminate looks like.

What I need to know is it you want to disallow all links or just links with javascript in them?

0
 
LVL 18

Expert Comment

by:Hube02
Comment Utility
But we are trying to remove HTML and the code I posted should remove the link completely, let me look at this again....
0
 

Author Comment

by:producer88
Comment Utility
Yes, it removes the link and code - but it does away with the code I had that would put the user back to the comments list, or a blank comment entry box.  This is just bouncing user back to a page with only the text entered on it.
0
 
LVL 18

Accepted Solution

by:
Hube02 earned 500 total points
Comment Utility
This last one adds the preg_replace to both places there the $comment value is set. This should remove the html from the input.

Let me know

<?php require_once("../../WA_ValidationToolkit/WAVT_Scripts_PHP.php"); ?>

<?php require_once("../../WA_ValidationToolkit/WAVT_ValidatedForm_PHP.php"); ?>

<?php 

if ($_SERVER["REQUEST_METHOD"] == "POST")  {

  $WAFV_Redirect = "comment_added.php";

  $_SESSION['WAVT_addcomment_Errors'] = "";

  if ($WAFV_Redirect == "")  {

    $WAFV_Redirect = $_SERVER["PHP_SELF"];

  }

  $WAFV_Errors = "";

  $WAFV_Errors .= WAValidateEL(((isset($_POST["frmComment"]))?$_POST["frmComment"]:"") . "",0,500,true,1);

 

  if ($WAFV_Errors != "")  {

    PostResult($WAFV_Redirect,$WAFV_Errors,"addcomment"); 

  }

}

?>

<?php  

require_once("dbConnection.php");  

if($_POST['Submit'] == "Add Comment"){ 

 

  

// Open Database Connection  

 $dbLink = mysql_connect($dbHost, $dbUser, $dbPass); 

 if (!$dbLink){ 

   die ("Database: Couldn`t connect to mySQL Server"); 

 } 

 mysql_select_db($dbName, $dbLink)  

  or die ("Database: Couldn`t open Database");  

 

 // Read data to insert into Database 

 

 if (!get_magic_quotes_gpc()) { 

  $name = addslashes($_POST['frmName']); 

$comment = addslashes(preg_replace('#</?\w[^>]*>#', '', $_POST['frmComment']));

$articleID = addslashes($_POST['frmArticleID']); 

 } else { 

  $name = $_POST['frmName']; 

  $comment = preg_replace('#</?\w[^>]*>#', '', $_POST['frmComment']); 

  $articleID = $_POST['frmArticleID']; 

 }

 // Create Date Time Field 

 $dateTime = date("Y-m-d H:i:s"); 

  

  // Create SQL Query and Execute 

 $sql = "INSERT INTO comments (article,postDateTime,name,comment) 

VALUES ("; 

 $sql .= "'" . $articleID . "',"; 

 $sql .= "'" . $dateTime . "',"; 

 $sql .= "'" . $name . "',"; 

 $sql .= "'" . $comment . "'"; 

 $sql .= ")"; 

 mysql_query($sql,$dbLink); 

  

 // Close Database Connection  

 mysql_close($dbLink); 

  

 header("Location: " . $_POST['page']); 

} 

?> 

 

<head>

<style type="text/css">

<!--

body {

	font-family: "Trebuchet MS", Arial, Helvetica, sans-serif;

	font-size: 12px;

	color: #FFF;

	background-repeat: no-repeat;

	margin-left: 0px;

	margin-top: 0px;

	background-color: #295c72;

}

#frmReview p {

	font-family: Verdana, Geneva, sans-serif;

	font-size: 11px;

	color: #FFF;

	text-align: left;

}

#comments_box {

	width: 380px;

}

a:link {

	color: #FC0;

	text-decoration: none;

}

a:visited {

	text-decoration: none;

}

a:hover {

	text-decoration: underline;

}

a:active {

	text-decoration: none;

}

-->

</style>

<script language=javascript>

//Edit the counter/limiter value as your wish

var count = "500";   //Example: var count = "175";

function limiter(){

var tex = document.frmReview.frmComment.value;

var len = tex.length;

if(len > count){

        tex = tex.substring(0,count);

        document.frmReview.frmComment.value =tex;

        return false;

}

document.frmReview.limit.value = count-len;

}

 

</script>

 

<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"></head>

 

<body>

<div id="comments_box">Submit Your Video Review

  <form id="frmReview" name="frmReview" method="post" action="<?php echo $_SERVER['PHP_SELF']; ?>">

    <p>

      <label for="frmName">Name</label>

      

  <input name="frmName" type="text" id="Name" tabindex="10" size="40" />

      </p>

    <p>

      <label for="frmComment">Comment</label>

      <br />

      <textarea name="frmComment" cols="50" rows="3" id="Comment" tabindex="20" onkeyup=limiter()></textarea>

    </p>

    <p>

      <input type="hidden" name="frmArticleID" id="ArticleID" value="<?php echo $_GET['id']; ?>"/>

      <input type="hidden" name="page" id="page" value="<?php echo $_GET['page']; ?>"/>

  <script language=javascript>

document.write("<input type=text name=limit size=4 readonly value="+count+">");

</script> Characters left      

		<input type="submit" name="Submit" id="Submit" value="Add Comment" tabindex="30" />

 

    <a href = "javascript:history.back()">Back to Comments</a> </p>

 

  </form>

</div>

</body>

</html>

Open in new window

0
 

Author Comment

by:producer88
Comment Utility
Oh, I am so happy!  That appears to be working perfectly!  I entered the javascript code and it stripped out the code, left only the text and sent me back to the list of comments!

THANK YOU SO MUCH!  I appreciate your patience and your expertise in helping me resolve this issue.
0
 

Author Closing Comment

by:producer88
Comment Utility
Excellent job, thanks for your patience and expertise!
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

This article will explain how to display the first page of your Microsoft Word documents (e.g. .doc, .docx, etc...) as images in a web page programatically. I have scoured the web on a way to do this unsuccessfully. The goal is to produce something …
Since pre-biblical times, humans have sought ways to keep secrets, and share the secrets selectively.  This article explores the ways PHP can be used to hide and encrypt information.
The viewer will learn how to look for a specific file type in a local or remote server directory using PHP.
This tutorial will teach you the core code needed to finalize the addition of a watermark to your image. The viewer will use a small PHP class to learn and create a watermark.

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

8 Experts available now in Live!

Get 1:1 Help Now