I have a form with a text box having a euro input prompt, thus
<INPUT class="forms" NAME="minval" TYPE="text" VALUE="Euros " SIZE="25">
I want to replace the "Euros " part with the euro symbol using &amp;euro; but in the PHP which services the form, I want to reject user html input. Will it reject my input prompt also ? (if it does I will have to put the symbol outside the text area and then add it back in with the php script)

I'm not sure exactly what it is that you are asking. Could you please re-iterate?

[edit - After reading your thread in the HTML forums, I think I know what you are after, and will respond there (http://forums.webdeveloper.com/showthread.php?s=&threadid=18208)].

What exactly do you mean? Are you using the strip_tags() function? If so, just replace Euros after you strip the HTML.

I have a text box tor users to enter a price. At present I use value="Euros" to prompt for the currency and have it appear in the result when the form is e-mailed to me. What I want to do is to put in the text box the Euro symbol € by using &amp;euro;, but when I have worked out how, I also want to prevent the user entering anything html which may break the webpage, e.g if the user enters </form> or similar. I also want the symbol in the result that is e-mailed to me.

My post from the other thread might shed some light:

Originally posted by pyro
It depends how you are removing the HTML input. If you use htmlspecialchars (http://us4.php.net/manual/en/function.htmlspecialchars.php), it will indeed format it to &amp;amp;euro; which will cause it to display as &amp;euro; rather than &euro; on your pages....

If you want to remove all HTML from the user's input, you can use strip_tags() (http://us4.php.net/manual/en/function.strip-tags.php). When you display the input, just add the euro symbol then.

strip_tags will not remove &amp;amp;euro; -- it will still display as &euro; after being passed through that. Basically, strip_tags just changes the < to &amp;lt; and the > to &amp;gt; (with a few differences, obviously)

Originally posted by pyro
Basically, strip_tags just changes the < to &amp;lt; and the > to &amp;gt; (with a few differences, obviously)

Oh, I didn't know that. Anyways, though, why would someone be entering HTML in the text box?

A malicious user could enter some javascript which may do nasty things.

That's a possibility, but very unlikely. What type of site is this for? If it's an online store, it's probable that the majority of your users will not know any HTML or JavaScript.

Maybe I'm being paranoid, but if it's possible, then better safe than sorry.:D

If users can do damage to your applications, that means you need to keep working on them. gizmo has the right idea by disallowing users to have the chance to enter possibly malicious code. JavaScript wouldn't be nearly as big of a problem as a PHP (other server-side language) savvy user entering some server-side code. They could eaisly bring your site to a crashing halt, with very few lines of code being entered... As gizmo stated, better safe than sorry.