SitePoint Sponsor

User Tag List

Results 1 to 7 of 7
  1. #1
    SitePoint Zealot
    Join Date
    Apr 2011
    Location
    San Diego
    Posts
    111
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)

    Need Help Stripping Tags

    Hi.

    I started creating a confession type of website where you type into a comment box whatever you want to say, and it gets displayed to another page. I tested it using HTML tags and it looks like it is vulnerable to injections.

    I know there must be an easy line of code that you put in somewhere, but I'm having a hard time with that. I have the code shown below, what should I put in it and where?

    PHP Code:
    <?php do { ?>
          <br />
          <p><strong>Confession #</strong><?php echo $row_confess['id']; ?> <strong>at</strong> <?php echo $row_confess['timestamp']; ?></p>
            <p><?php echo $row_confess['confess']; ?></p>

    <hr />
            <?php } while ($row_confess mysql_fetch_assoc($confess)); ?>
    Thanks.

    Edit: Also, is there a way to allow people to press enter? When I try to press enter to write another paragraph and submit, it won't display the way I want. It just makes it one paragraph.

  2. #2
    SitePoint Enthusiast rainner's Avatar
    Join Date
    Apr 2011
    Posts
    25
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    About your first question you have two options.
    If you want to leave the comment as it was typed and still prevent html injection you can use htmlspecialchars.

    Code PHP:
    echo htmlspecialchars( $row_confess['confess'] );

    Or, if you want to strip all the html tags from the comment, use strip_tags.

    Code PHP:
    echo strip_tags( $row_confess['confess'] );

    About your second question, it's hard to say without seen how you have the rest of your scripts setup. How is the form being used and what is the PHP code that saves the comment like?

  3. #3
    SitePoint Zealot
    Join Date
    Apr 2011
    Location
    San Diego
    Posts
    111
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    The strip_tags one worked thank you

    As for my second question, keep in mind that I'm new with PHP so bear with me. Here's the code for the comment page:

    PHP Code:

    <?php
    if (!function_exists("GetSQLValueString")) {
    function 
    GetSQLValueString($theValue$theType$theDefinedValue ""$theNotDefinedValue ""
    {
      if (
    PHP_VERSION 6) {
        
    $theValue get_magic_quotes_gpc() ? stripslashes($theValue) : $theValue;
      }

      
    $theValue function_exists("mysql_real_escape_string") ? mysql_real_escape_string($theValue) : mysql_escape_string($theValue);

      switch (
    $theType) {
        case 
    "text":
          
    $theValue = ($theValue != "") ? "'" $theValue "'" "NULL";
          break;    
        case 
    "long":
        case 
    "int":
          
    $theValue = ($theValue != "") ? intval($theValue) : "NULL";
          break;
        case 
    "double":
          
    $theValue = ($theValue != "") ? doubleval($theValue) : "NULL";
          break;
        case 
    "date":
          
    $theValue = ($theValue != "") ? "'" $theValue "'" "NULL";
          break;
        case 
    "defined":
          
    $theValue = ($theValue != "") ? $theDefinedValue $theNotDefinedValue;
          break;
      }
      return 
    $theValue;
    }
    }

    $editFormAction $_SERVER['PHP_SELF'];
    if (isset(
    $_SERVER['QUERY_STRING'])) {
      
    $editFormAction .= "?" htmlentities($_SERVER['QUERY_STRING']);
    }

    if ((isset(
    $_POST["MM_insert"])) && ($_POST["MM_insert"] == "form1")) {
      
    $insertSQL sprintf("INSERT INTO confess (confess) VALUES (%s)",
                           
    GetSQLValueString($_POST['confess'], "text"));

      
    mysql_select_db($database_Confession$Confession);
      
    $Result1 mysql_query($insertSQL$Confession) or die(mysql_error());

      
    $insertGoTo "read.php";
      if (isset(
    $_SERVER['QUERY_STRING'])) {
        
    $insertGoTo .= (strpos($insertGoTo'?')) ? "&" "?";
        
    $insertGoTo .= $_SERVER['QUERY_STRING'];
      }
      
    header(sprintf("Location: %s"$insertGoTo));
    }

    mysql_select_db($database_Confession$Confession);
    $query_confess "SELECT * FROM confess";
    $confess mysql_query($query_confess$Confession) or die(mysql_error());
    $row_confess mysql_fetch_assoc($confess);
    $totalRows_confess mysql_num_rows($confess);
    ?>
    Or could it be an HTML thing? (Which I doubt):

    HTML Code:
    <p align="center"><strong>What's on your mind?</strong></p>
            <form id="form1" name="form1" method="POST" action="<?php echo $editFormAction; ?>
              <p>
                <label for="confess">
                  <textarea name="confess" id="confess" cols="60" rows="8"></textarea>
                </label>
              </p>
              <p>
                <input type="submit" name="confess2" id="confess2" value="Confess" />
              </p>
              <input type="hidden" name="MM_insert" value="form1" />
            </form>

  4. #4
    SitePoint Zealot darkwarrior's Avatar
    Join Date
    Dec 2010
    Posts
    171
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Something like
    Code JavaScript:
    myTxt.onSetFocus = function() {
    	myNewObject = new Object();
    	myNewObject.onKeyDown = function() {
    		if (Key.isDown(Key.ENTER)) {
    			trace("do something");
    		}
    	};
    	Key.addListener(myNewObject);
    };

    Not that I'm saying that is the exact code but I don't think you can achieve what you want with PHP, it'd have to be javascript

  5. #5
    SitePoint Enthusiast rainner's Avatar
    Join Date
    Apr 2011
    Posts
    25
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I got confused there for a second but i think what you mean is to display the text that was submitted in paragraphs instead of just one big block of text.

    For that you can use another php function called nl2br.

    Code PHP:
    echo nl2br( strip_tags( $row_confess['confess'] ) );

    That should do both strip the tags and then convert every new line into a <br /> tag so your text shows up the way it was typed.

    Hope that's what you meant.

  6. #6
    SitePoint Zealot
    Join Date
    Apr 2011
    Location
    San Diego
    Posts
    111
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by darkwarrior View Post
    Something like
    Code JavaScript:
    myTxt.onSetFocus = function() {
    	myNewObject = new Object();
    	myNewObject.onKeyDown = function() {
    		if (Key.isDown(Key.ENTER)) {
    			trace("do something");
    		}
    	};
    	Key.addListener(myNewObject);
    };

    Not that I'm saying that is the exact code but I don't think you can achieve what you want with PHP, it'd have to be javascript
    I went with the PHP code, but thanks anyway

    Quote Originally Posted by rainner View Post
    I got confused there for a second but i think what you mean is to display the text that was submitted in paragraphs instead of just one big block of text.

    For that you can use another php function called nl2br.

    Code PHP:
    echo nl2br( strip_tags( $row_confess['confess'] ) );

    That should do both strip the tags and then convert every new line into a <br /> tag so your text shows up the way it was typed.

    Hope that's what you meant.
    That is exactly what I mean, and it worked. Thank you

  7. #7
    SitePoint Member
    Join Date
    May 2011
    Posts
    1
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by darkwarrior View Post
    Something like
    Code JavaScript:
    myTxt.onSetFocus = function() {
    	myNewObject = new Object();
    	myNewObject.onKeyDown = function() {
    		if (Key.isDown(Key.ENTER)) {
    			trace("do something");
    		}
    	};
    	Key.addListener(myNewObject);
    };

    Not that I'm saying that is the exact code but I don't think you can achieve what you want with PHP, it'd have to be javascript
    result same wordpress tag ??? please tell me.


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •