This is the form for comment:
echo $this->Form->create('Comment',array('url'=>array('controller' => 'comments', 'action' =>'add', $listposts['Post']['id']) ) );
echo $this->Form->input('post_id',array('type'=>'hidden','style'=>'width:30%','value'=>$listposts['Post']['id']));
echo $this->Form->input('name',array('style'=>'width:30%'));
echo $this->Form->input('email',array('style'=>'width:30%'));
echo $this->Form->input('body',array('rows'=>'5'));
echo $this->Form->end('Comment');
The comment.php model =>
var $useTable='comments';
var $belongsTo = array('Post');
var $validate = array(
'name' => array(
'required' => true,
'rule' => 'notEmpty',
'allowEmpty' => false,
'message' => 'Enter Name.'
),
'email' => array(
'required' => true,
'rule' => 'notEmpty',
'allowEmpty' => false,
'message' => 'Enter Email.'
),
'body' => array(
'required' => true,
'rule' => 'notEmpty',
'allowEmpty' => false,
'message' => 'Enter Body.'
)
);
}
But during commenting someone can type in any textbox of the comment form like this =>
<script>
alert("Hello world");
</script>
Then this alert will be displayed during the page load.
How can i stop inserting this html tags in database ?
How can i check this html block ?
There are two ways to handle this: sanitizing or escaping the string. Sanitizing means you strip all unwanted content out. Escaping means you “disable” any special characters in the string. You should always escape user-supplied content when outputting it:
Optionally you may want to sanitize the string, but that can be tricky. Look into Cake’s
Sanitizeclass. The Great Escapism is also apropos.