PHP: strip html+php from message

Yes i am having an normal output from the database of a message, with this:开发者_StackOverflow社区

echo nl2br($show["status"]);

I am in a huge risk, as you can use html, e.g if you write <h1>HAHA</h1> it turns out in html. if i do <?php echo "HAHA"; ?> nothing gets output, so i think it runs the echo. How can i be most safe, and strip everything a user would try to do, html, php and so on..?

Entering <?php echo "HAHA"; ?> doesn't appear to do anything. If your right-click to "view-source" of the page the source you will see it is just output as plain text which the browser hides.

Also, you are setup for a CSFR attack by not escaping your output. Instead use htmlspecialchars and strip_tags.

print nl2br(htmlspecialchars(strip_tags($show["status"]), ENT_QUOTES, 'utf-8'));

Also, strip_tags isn't enough on it's own! as it doesn't validate BAD HTML.

i think you'r looking for the function htmlspecialchars(); which masks all html entities in a string.

see: http://www.php.net/manual/en/function.htmlspecialchars.php

Use strip_tags.

http://php.net/manual/en/function.strip-tags.php

You will probably have to try a few different things, but you can do mysql_real_escape_string to start

strip_tags() will remove HTML. PHP isn't an issue; if you output it to a browser, is's just text and not executed.

Check out strip_tags: http://php.net/manual/en/function.strip-tags.php

$noHtmlString = strip_tags($text);

Strings stored in the database that contain <?php echo "HAHA"; ?> won't be processed by PHP so should be safe anyway.

I think strip_tags will meet your needs. http://www.php.net/manual/en/function.strip-tags.php