1

on my website I have a comment section. I want to filter and validate the input before I store it in my database. If there are any invalid chars in the input the user gets the notice that his input is invalid.

My question, which chars are not allowed? e.g. I want to avoid sql injections

Tags are not allowed. How do I check that?

Improve this question

1 Answer 1

Reset to default
2

If you are using Zend_Db and parameterised queries (i.e.: $adapter->insert($tableName, array('param' => 'value'))) then it will automagically escape everything for you.

If however you want to further validate the user input, have a look at Zend_Validate and Zend_Filter

Also, if by "tags" you mean HTML tags, I wouldn't do anything to those on input but do make sure you properly escape / strip them on output (have a look at htmlspecialchars())

If you want to display an error message if the input contains HTML tags, and assuming $comment is the comment body, you could try:

if(strip_tags($comment) !== $comment) {
    // It seems it contained some html tags
}
Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

thanks, I escape things on output already. but why should I allow the user to input html tags. I want an error message to be displayed that the input is invalid
altered the answer with an example on how to show an error message if it contains html tags. I'm not sure what the context of the comment is, but it's generally harmless to allow but escape html tags. For example, if you were running a website about web development, maybe the commenter will include HTML tags as an example.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.