How to prevent HTML with PHP?

Hi all,

I’m not sure if this is the right way to do this, I have a contact form (processor code posted below) however I’m getting alot of html spam in the textarea. I’m trying to prevent this. I believe I would have to use strip_tags to do this?
When I googled my issue I found this bit of code:

$all_tags_filtered = strip_tags($_POST['comments']);

I’m not sure if something like the above is correct or how to implement that into my processor though. Could anyone shed some light on how to do this?

<?php

$yourEmail = "demo@demo";

$subject = "$_REQUEST[first_name] $_REQUEST[last_name] is requesting notification";

$body = "Subject: $subject \
 First Name: $_REQUEST[first_name] \
 Last Name: $_REQUEST[last_name] \
 Postal Code: $_REQUEST[postal_code] \
 Email Address: $_REQUEST[email] \
 Comments: $_REQUEST[comments] \
 ";

$thankyousubject = "Request Submitted Successfully.";

$thankyoumsg = "Thank you $_REQUEST[first_name] $_REQUEST[last_name] we have recieved your information.";

$redirect = "Please click the banner to return to the homepage.";


?>
<?php
mail($yourEmail, $subject, $body, "From: $_REQUEST[first_name] $_REQUEST[last_name] < $_REQUEST[email] >");
print "<CENTER><B><body bgcolor='#FFFFFF'><font color='#000000'> $thankyousubject </B></CENTER><br><br><center>$thankyoumsg</center><BR><BR><center>$redirect</center><BR><CENTER></font></CENTER></body>"

?>

Yeah…you have bigger problems then just HTML. You are directly using $_REQUEST without sanitizing it…Anything you do can be circumvented.

sorry i’m kind of a PHP newbie and u lost me there.

Replace

$_REQUEST[first_name]

with

strip_tags($_POST[first_name])

and similarly for the rest of the fields.

thank you felgall!

should i be doing something with my $_REQUEST also as was suggested above…did i do something wrong in that regard (since i am only going to be applying the strip_tags to one field)?

You should apply strip_tags() to every one of your fields, or else you’ll have larger problems than just HTML in your comments.

could you explain why there is a problem if i don’t have it applied to all my fields? is there something unsafe about the REQUEST that i have done?

$_REQUEST takes both $_POST and $_GET as possible inputs. This can cause ambiguity when you both post and get a key to those arrays. Ideally, you should be using either post or get, but almost never Request.

You should also be using strip_tags() on all pieces of input the user provides, not just the content field. I’m going to ask you to trust me on that one, because I truthfully don’t have time to explain things like cross site scripting at the moment.

Please read: http://www.nyphp.org/PHundamentals/8_Preventing-Email-Header-Injection

$_REQUEST can also retrieve values from cookies so you don’t know when using that whether the value was passed using $_POST, $_GET or $_COOKIE

The only fields where you wouldn’t need to use strip_tags are those that are allowed to contain JavaScript and those where some other validation you are applying means that the field couldn’t possibly contain HTML (such as applying is_numeric or is_alphabetic instead).

In my first post in this thread I gave an example of how to change one of the fields. At no point was I trying to suggest that the change only needed to be made to that field. The same change needs to be made to all form fields (except where other validation is being applied instead of strip_tags).

I’ve never used $_REQUEST on anything more than a passing basis; I didn’t know that was true. Learn something new every day.