WebRef.eu  - Internet Marketing and Online Business Resources  

Home / Site Map | Blog | TwitterTwitter | Contact

Back to PHP Scripts List


PHP Script Example - Disallow Certain Characters from a Form Field

The below PHP script demonstrates how a form field can be checked for particular characters, in this case <, > and @, and an error message displayed to the user asking the user to remove them. Disallowing characters can be used as an additional security precaution to make it harder for someone to damage your site with a scripting attack.

Copy and paste the script including the html tags, and save the file with a .php extension to test it on your server. You can also view the script in action here:



<title>PHP Script from WebRef.eu</title>
<meta name="description" content="An example PHP script in which a field is checked for certain characters that aren't allowed and the user asked to remove them, from WebRef.eu.">
<meta name="keywords" content="remove character, remove characters, disallow character, disallow characters, remove special characters.">

<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">

<style type="text/css">
.txterror {
color: #FF0000;



//PrepareForForm function used when there is an error in user input and it has to be re-displayed in the form
//prepare data from database by stripping added backslashes and replacing special characters with HTML equivalents
function PrepareForForm($str) {

if(get_magic_quotes_gpc()) {
// remove the slashes inserted by magic quotes.
$str = stripslashes($str);

//Syntax htmlspecialchars(string, quotestyle, character-set)
$str=htmlspecialchars($str, ENT_QUOTES);

return $str;



//If processform flag is set, processing can occur. If not set, form is being loaded for the first time
if ($_POST['processform'] == 1) {

//Process Form
//retrieve form input

//Validate fields

// create empty error variable
// always concatenate error variable so you don't wipe out other error messages
$ErrorMsg = "";

//Your Review can't be left blank
if (!$ReviewDesc) {
$ErrorMsg = $ErrorMsg . "Please give Your Review.<br>";


//Do not allow @, < or > in ReviewDesc
if(strpos($ReviewDesc, '@') OR strpos($ReviewDesc, '<') OR strpos($ReviewDesc, '>')){
$ErrorMsg = $ErrorMsg . "Your Review cannot contain any @, < or > characters, so please remove them.<br>";
$ReviewDesc = PrepareForForm($ReviewDesc);

echo "<p class='txterror'>" . $ErrorMsg . "</p>";

//If no errors then form input successful and can move to next step e.g. write to database
//PrepareForForm function used again so single and double quotes displayed correctly with magic quotes affecting them
If ($ErrorMsg == "") {
echo "<p>Form processing successful.<br><br>Review Description was: " . PrepareForForm($ReviewDesc) . "</p>";

//Close If processform flag is set

//If condition for when to display form
//when processform flag is 1 and ErrorMsg is empty we don't want to display the form
//otherwise we display the form for error correction
If (!($_POST['processform'] == 1 && $ErrorMsg == "")) {
The below form will not allow certain characters in the Your Review field.
<form name="form1" method="post" action="<? echo $_SERVER['PHP_SELF']; ?>">

Your Review (try entering a @, &lt; or &gt; to trigger the error):<br>

<textarea name="txtReviewDesc" cols="50" rows="4"><?print $ReviewDesc; ?></textarea>


<!-- processform flag so you can tell when form is posted back -->
<input type="hidden" name="processform" value="1">

<input type="submit" name="Submit" value="Submit">


//End If condition for when to display form

<a href="index.php">Back to Home Page</a>

<!-- SCRIPT ENDS -->


Back to PHP Scripts List


Low Prices UK Shopping

Compare Prices
at LowPrices.co.uk

Home / Site Map | TwitterTwitter | Contact

All Content ©2018 WebRef.eu