Don't allow user to enter HTML tags in input

后端未结

关注

 3  848

I have an input which allows users to enter text, which is then sent using PHP to another page, where it is stored in a database. I have done some simple validation ( checking i

相关标签:

3条回答

夕颜

2021-01-22 04:15

You can simply use htmlspecialchars, or strip_tags before inserting into database.

You can also use mysqli_real_escape_string or PDO::quote to secure strings

0 讨论(0)
发布评论:

提交评论
- 加载中...
轻奢々

2021-01-22 04:17
You could do this:
```
<input type='text' pattern='[a-zA-Z0-9]+'>
```
That ensures only letters and numbers can go in and wont submit if anything else is inside the input.

However, this is only good client side and will only work for IE9+

This is also not the best method for validation if someone knows what they're doing. All they have to do is go into the source code to take out the pattern attribute, but for those who don't know, it will be fine.

For the PHP, you can use strip_tags(). Found here
0 讨论(0)
发布评论:

提交评论
- 加载中...

春和景丽

2021-01-22 04:18

To check try this:

if( preg_match('#^<.>.+</.>$#', $your_value) ){
    echo "NOT GOOD";  // and some error too
}

0 讨论(0)