Slashes, quotes and bbcode

Printable View

Jun 25, 2002, 17:10
wmk86

Slashes, quotes and bbcode

OK, I have read all the threads here about addslashes(), stripslashes() and the evil magic_quotes. Well here it goes again, with a little twist!

I have bbcode on my site in the form of [link="URLGOESHERE"]my site[/link]. Now, I run addslashes() (without magic_quotes on (Dr. Pepper would be proud :))) before I put the data in mysql. When extracting it, I run htmlspecialchars() then I replace the [link] tags, etc. However, I get (changed the URL, so the forum wouldn't mess it up):

PHP Code:

<a href=""URLGOESHERE"" target="_blank">my site</a>

! Not good. Anyone have an idea?
Jun 25, 2002, 17:50
Technosailor

why are you encoding the original quotation marks? If you don't send those to the db then you won't have aproblem turning them into HTML Special characters...

Sketch
Jun 25, 2002, 18:01
wmk86

You mean why am I doing addslashes()?

Or why am changing the quote marks to quot;?
If it is the former, I am doing addslashes() so the INSERT command won't screw up

PHP Code:

mysql_query("INSERT INTO news (userid, date, title, text) VALUES ('$userid', NOW(), '$title', 'hello I'm jose')");

that wouldn't work.

If you are asking the latter, htmlspecialchars() changes the quotemarks to quot; but that then screws up my preg_replace() commands ([link] -> <a>). If I switch and do the preg_replace first, then htmlspecialchars() it will replace the <> with the actual tags and won't print any HTML at all! Not good.

You probably aren't asking about either of them...:confused:
Jun 25, 2002, 18:03
Technosailor

what are you literally inserting into the db originally?
Jun 25, 2002, 18:03
wmk86

You mean this?:

PHP Code:

function insertnews ($title, $text) { $userid = $_SESSION['userid']; addslashes($title); addslashes($text); $query = mysql_query("INSERT INTO news (userid, date, title, text) VALUES ('$userid', NOW(), '$title', '$text')"); echo "Submitted!"; }

It is a news script.
Jun 25, 2002, 18:39
cyngon

Edit: Thought of a much better solution. . .

In your code that translates [link] tags into HTML <a href=""> tags, have it look for the translated characters ("& q u o t ;" for double quote) instead of an actual double quote.

If you post your bbcode translation code for links here I'm sure either myself or someone of greater regex mastery will be able to help you make this modification.
Jun 25, 2002, 19:17
wmk86

Hmm, ok :). I thought I have seen what I am trying to do be done before. But no problem, here is the current code:

Code:

$text = preg_replace("/\[link=[\"]?([^\]^\"]*)[\"]?\]([^\[]*)\[\/link\]/", "$link$1$link2$2</a>" , $text);
Jun 25, 2002, 19:39
cyngon

Why is $link in that regex?

I'm not that good with regex, but I'm also confused by the fact that you don't use anything like \\1 or \\2 in the second argument of preg_replace. Woulden't you need to use \\1 instead of $1? or is there an alternate syntax I don't know about?
Jun 25, 2002, 19:40
wmk86

I don't know that much either (I got this code from someone else ;)) but I believe \\1 is for ereg* while $1 is for preg.

And the variables above the code are these:

PHP Code:

$imdb = '<a href="http://www.imdb.com/Title?'; $link = '<a href="'; $link2 = '" target="_blank">'; $img = '<img src="';

Edit - Works now!
I did htmlspecialchar() then replaced '=&q uot;' with '="' and '&q uot;]' with '"]' then ran my original [link] preg_replace.

Anyway, thanks guys for the help :D
Jun 25, 2002, 19:48
cyngon

I don't see anything about a $1 syntax for preg regex's in the manual, but it does talk about the \\1 syntax.

Here is my shot at a regex:

Code:

$text = preg_replace("/\[link=["]([^\]^\"]*)["]\]([^\[]*)\[\/link\]/e", "$link.'\\1'.$link2.'\\2'.'</a>'" , $text);

Let me know how that does for you. I'm a really crummy regex coder, but give it a shot.

Edit: Not to self (and everyone): Regex code is usually better off being posted in CODE tags instead of PHP tags since vB will mess with slashes in PHP code.