Allow User Submitted HTML in PHP

Allow user submitted HTML in PHP

HTML Purifier is a
standards-compliant HTML filter
library written in PHP. HTML Purifier
will not only remove all malicious
code (better known as XSS) with a
thoroughly audited, secure yet
permissive whitelist, it will also
make sure your documents are
standards compliant, something only
achievable with a comprehensive
knowledge of W3C's specifications.

How do I only allow a user to submit an html form only once?

With the code below you try to check if the entered tutorial group and group number already exist, but this doesn't work.

$sql = "SELECT (tg,grp) FROM groups";
$result = $conn-> query($sql);
if ($result=1) {
    ....
}

You need to SELECT for the entered tutorial group and group number in the query. Like this:

$stmt = $conn->prepare("SELECT id FROM groups WHERE tg = ? AND grp = ?");
$stmt->bind_param('ss', $tg, $grp);
$result = $stmt->execute();
if ($result) {
    ....
} else {
    printf("Error message: %s\n", $conn->error);
}

Note that I bind the parameters to prevent SQL-injection.

However, I have to say that is method is far from perfect. It relies on your students to enter data very accurately, and never make a mistake. That will not work in practice.

Allow a user to edit a php code and submit the results securely

What you are trying to accomplish is what variables are for.
Taking this example:

  echo "Hello World!";

You could change that to

  echo $_POST["data"];

and in your html

  <form type='post'>
       <input type='text' name='data'/>
       <input type='submit'/>
  </form>

See it in action

Eval should be avoided at all costs, there is a very narrow set of problems where using eval is a sane solution.

How to allow users to edit PHP file?

If it doesn't need to be permanent, use a form, then access the variable by $_GET['var'] or $_POST['var']. You can even save it to the user's $_SESSION. If it needs to be permanent, use a database..don't have a user edit your PHP

You can also use something like jQuery to append data to a div container, example:

HTML:

<input id="input_form_id" type="text"/>
<button id="add_ip">Add</button>
<div id="ip_addresses"></div>

Jquery:

$("#add_ip").click(function() {
    var ip = $("#input_form_id").val();
    $("#ip_addresses").append(ip + "<br/>");
});

Jsfiddle:
http://jsfiddle.net/hvBwK/

How can I allow my user to insert HTML code, without risks? (not only technical risks)

If you are using php, an excellent solution is to use HTMLPurifier. It has many options to filter out bad stuff, and as a side effect, guarantees well formed html output. I use it to view spam which can be a hostile environment.

On an html/php file upload page, can you allow users to select files for upload one at a time without overwriting the previously selected file?

Let me see if I get this straight: you are using HTML file-type input with multiple attribute, meaning you can send multiple files on the same input.

That works this way:

The multiple attribute is a boolean attribute.

When present, it specifies that the user is allowed to enter more than
one value in the element.

Note: The multiple attribute works with the following input types:
email, and file.

Tip: For <input type="file">: to select multiple files, hold down the
CTRL or SHIFT key while selecting.

So if you're trying to upload multiple files and assign them to the same file-type input, it's only natural it gets overwritten every time you manage to select different files again.

If you want to select one file at a time, insert multiple file-type inputs in your form. If you have no idea how many files may be attached, deal with input generation dynamically with Javascript or even PHP, if it isn't mandatory that your form page is pure front-end.

allow user to download after submitting form data

http://php.net/manual/en/function.readfile.php read the first part (forcing a download), you can read a file and then sending it to the user via the headers. Thus you don't have to give away your file structure (and perhaps even letting the file outside your website's root/public_html).

---

Related Topics