Skip to content Skip to sidebar Skip to footer
Home / Html / Php

Don't Allow User To Enter Html Tags In Input

Post a Comment
I have an input which allows users to enter text, which is then sent using PHP to another page, where it is stored in a database. I have done some simple validation ( checking if t

Solution 1:

To check try this:

if( preg_match('#^<.>.+</.>$#', $your_value) ){
    echo"NOT GOOD";  // and some error too
}

Solution 2:

You could do this:

<inputtype='text' pattern='[a-zA-Z0-9]+'>

That ensures only letters and numbers can go in and wont submit if anything else is inside the input.

However, this is only good client side and will only work for IE9+

This is also not the best method for validation if someone knows what they're doing. All they have to do is go into the source code to take out the pattern attribute, but for those who don't know, it will be fine.

For the PHP, you can use strip_tags(). Found here

Solution 3:

You can simply use htmlspecialchars, or strip_tags before inserting into database.

You can also use mysqli_real_escape_string or PDO::quote to secure strings

Post a Comment for "Don't Allow User To Enter Html Tags In Input"