How do I block HTML in my form input?

So, I have a basic little script that takes input from an HTML form, is processes by PHP and then writes it to a text file in the form of CSS. I've already got some jerkwad trying to drop tables on the server (There is no SQL but I'd like to keep people from trying none the less) Here is the code that I have thus far, can someone help me block potentially bad input via htmlentities or something else?

The HTML Form

<html><body>
<h4>Codes Form</h4>
<form action="codes.php" method="post"> 

Username: <input name="Username" type="text" />
Usercode: <input name="Usercode" type="text" /> 

<input type="submit" value="Post It!" />
</form>
</body></html>

The PHP

    <html><body>
 <?php 

 $Friendcode = $_POST['Usercode'];
 $Username = $_POST['Username'];

echo "You have recorded the following information on the server ". $Username . " " . $Usercode . ".<br />"; echo "Thanks for contributing!";


$output = ".author[href\$=\"$Use开发者_运维知识库rname\"]:after { \n"
       ."content: \" ($Usercode)\" !important\n"
       ."}";
}
$fp = fopen('file.txt', 'a');
fwrite($fp, $output);
fwrite($fp, "\n");
fclose($fp);
?>


</body></html>

You can use htmlentities to convert html tags to their html equiv. < etc. Or you can use strp_tags to get rid of all html tags. If you are using sql use mysql_real_escape_string to make sql queries safer

Whenever you include data entered by the user in HTML code, it is always a good idea to first encode the data, by passing it into htmlspecialchars().

Think of it as a decontamination chamber. This will ensure that any of the HTML special chacters, such as "<" and ">" (deadly viruses) are properly escaped (killed) and won't show up in your page as "real" HTML tags (won't make your webpage sick).

Similarly, you must also encode user input when including it in SQL queries. The function that you use for this purpose varies depending on the database that you are using. Because of the dynamic nature of PHP, if you are a including numeric value in a SQL query, you must first check to make sure the variable contains a number by using functions such as is_numeric() and ctype_digit().

I think the best way to block HTML is to allow only the characters you think a username or a user code may have.

For example, limit the input to letters, numbers and underscores and trim the whitespaces in the beginning and the end of the string. This validation will fail whenever HTML code is provided as input.

I would suggest doing this on both client and server side, with a regex. A client-side example can be found here: jQuery remove all HTML tags EXCEPT Anchors

What happen if someone directly type the url of code.php in browser. They will get the Notice of undefined offset.

You should make at least a check if $_POST is not empty.

if(isset($_POST['submit']) && !empty($_POST))
{
  //do operation
}

Validate the user name and user code for special characters and what you allow them to enter with PHP sever side

@Zer0mod: I'd use strip_tags to get rid of HTML and mysql_real_escape_string to take care of any potential SQL injections.

Use PHP to convert every symbol to HTML numbers! Head on over to htmlentities() for details about doing so.