Stop people injecting code

[Akula_dude]

Im writing myself a clansite and I (will) have a guestbook, forums, and screenshot uploading. All of these (will) work, but Im worried about security. How do I strip off code from inputs? Because right now if someone posted in the guestbook or forum with </body> or something it would screw the whole thing up.Any help is much appreciated. And im sure this has been asked before, but I couldnt find it in a search...

[eguru]

well you must not allow HTML tags in the forum to execute, if u even allow them.

[Akula_dude]

Yeah, thats what i meant :)Im not sure how to do that though... I still want to have html code display in the forums, just not particular tags (like </body> etc). Is it possible to replace particular tags? For example, someone types </body> into their post and it shows as </body>, without executing any code?

[skym]

addslashes, htmlentities, or mysql_real_escape_string if the output is for databases. Search for them at php.net

[Akula_dude]

Cool, i think i've got it. Thanks!

[eguru]

what did you get

[reportingsjr]

take the easy way before putting into the database with eregi_replace.

$posted = $_POST['post'];$post = eregi_replace("<", "<", $posted);

[justsomeguy]

That code didn't come through, it printed the character. But there's no reason to use regular expressions for things like this, the regular expression engine is fairly slow and requires more overhead then str_replace. Regular expressions get their power because they can find a pattern instead of a specific string. But when finding or replacing a specific string or character, it's always better to not use regexp.

[Akula_dude]

Well, I kind of gave up. I've been writing my clansite and forums for a while now, and I decided that it was a bit above me since I've only been learning PHP six weeks. So... PHP-Fusion it is.Rest assured, I will complete my clansite sometime and swap it over from the CMS, but not yet