a safe comment form

**james438** · 09-15-2008, 04:47 PM

Not sure if this is the right place for this question, but I am considering designing a comment page for my site. I could add limits to

disable or limit the size of images
limit and truncate the size of submitted content
another to prevent rapid submissions
diable the '<'
and record the user's ip address in case I need to block them

Does that sound about right?

**boogyman** · 09-15-2008, 05:42 PM

those are all good thoughts.

instead of disabling the html elements, my suggestion is that you just escape them or replace them with their character code equivalent...

Code:

< character code is &lt;

**james438** · 09-15-2008, 08:24 PM

I was planning on replacing < with its code equivalent, but I did not know you could escape it. What would the code for that look like? echo"\<img src='www.site.com/image.jpg>"; will still output an image.

**boogyman** · 09-15-2008, 08:34 PM

i meant escaping for all injection. Some are listed below

strip_tags()
htmlentities()
mysql_real_escape_string()
addslashes()

**james438** · 09-15-2008, 08:35 PM

hehe, I have not used strip_tags() in so long I forgot all about that one

thanks

**Medyman** · 09-16-2008, 01:52 AM

Instead of allowing HTML markup on my comment forms, I generally always only allow Markdown.

Those that know how to use it are generally knowledgeable enough to know the purpose of HTML markup. Otherwise, I don't think HTML is really necessary (or safe) in comment forms.

You've got a fairly comprehensive list of precautions you could take to ensure a safe form. You might also limit the number of links. Often spammers post somewhat coherent comments riddled with links. That gets into the realm of moderating/censoring content which you may/may not want to get into.

Thread: a safe comment form

Thread Tools

Search Thread

a safe comment form

Bookmarks

Bookmarks

Posting Permissions