SitePoint Sponsor

User Tag List

Results 1 to 10 of 10
  1. #1
    SitePoint Enthusiast
    Join Date
    Oct 2008
    Location
    LONDON,UK
    Posts
    64
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    any ideas why HTMLENTITIES won't work ?

    the function htmlentities is not working in my form

    //get data from form
    extract($_POST);

    the above gets all the data from the form and then the following puts all the separate bits of info into variables:

    .....
    $organisation = "\nOrganisation: " . $organisation;
    $organisation = htmlentities($organisation);
    $position = "\nPosition: " . $position;
    $position = htmlentities($position);
    $email = "\nEmail: " . $email;
    $email = htmlentities($email);

    any ideas what is going wrong ?

    Thank you

  2. #2
    SitePoint Mentor bronze trophy
    John_Betong's Avatar
    Join Date
    Aug 2005
    Location
    City of Angels
    Posts
    1,838
    Mentioned
    73 Post(s)
    Tagged
    6 Thread(s)
    Looks like the code supplied is doing what your asking but not what you want

    Maybe replace htmlentities(...) with strip_tags(...);

    http://th.php.net/manual/en/function.strip-tags.php
    Learn how to be ready for The New Move to Discourse

    How to make Make Money Now with a *NEW* look

    Be sure to congratulate Patche on earning Member of the Month for July 2014

  3. #3
    SitePoint Enthusiast
    Join Date
    Oct 2008
    Location
    LONDON,UK
    Posts
    64
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    PLEASE HELP ME !

    Quote Originally Posted by John_Betong View Post
    Looks like the code supplied is doing what your asking but not what you want

    Maybe replace htmlentities(...) with strip_tags(...);

    http://th.php.net/manual/en/function.strip-tags.php

    No
    strip_tags don't work either !!!

    it must be my code? strip_tags are commented out ..
    Code:
    
     extract($_POST);
      //Set up the email
    	$to = "Test to me<my email address>";
    		
    	//put the data into variables
    	// use the function 'strip_tags' to make it safer
    	$from_header = "From: $from";
    	$subject = "CLIENT CONTACT DETAILS VIA WEBSITE";
    	$text1 = "\nClient contact details: ";
    	$name = "\n\nName: "  . $title ." ". $firstname ." ". $lastname;
    	//$name = strip_tags($name);
        $organisation = "\nOrganisation: " . $organisation;
    	//$organisation = strip_tags($organisation);
        $position = "\nPosition: " . $position;
    	//$position = strip_tags($position);	
    	$address1 = strip_tags($address1);
    	//$address1 = strip_tags($address1);	
        $address2 = "\nAddressline2: " . $address2;
    	//$address2 = strip_tags($address2);
        $city = "\nTown/City: " . $city;
    	//$city = strip_tags($city);
        $county = "\nCounty: " . $county;
        //$county = strip_tags($county);
        $postcode = "\nPostcode: " . $postcode;
    	//$postcode = strip_tags($postcode);
        $country = "\nCountry: " . $country;
    	//$country = strip_tags($country);
        $telephone = "\nTelephone: " . $telephone; 
       // $telephone = strip_tags($telephone);
    PLEASE HELP ME SOMEONE !!

  4. #4
    SitePoint Enthusiast
    Join Date
    Oct 2011
    Posts
    47
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    you need to explain the situation better.

    1. What exactly are you getting in the $_POST array, can you give us print_r results?
    2. What are you trying to do with the $_POST data? remove tags from it? convert tags to entities? remove entities?

  5. #5
    SitePoint Enthusiast
    Join Date
    Oct 2008
    Location
    LONDON,UK
    Posts
    64
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Hi JV thanks for responding..

    Code:
    extract($_POST);
    is getting data from a completely separate .html file containing an html form.


    I have this code at the top of my PHP file (where my code in above posts is situated)
    Code:
    <?php
       //checking referer
       $ref = $_SERVER["HTTP_REFERER"]; 
          
       if ($ref != "http://www.domainname.com/FORM.html" ) {
         //bad referrer detected, exit script 
          print ("<div align=center valign=center><b>Warning:</b> Sorry, you are not allowed to access this page<br><br> [ <a href=\"javascript:window.close()\">Close this window</a> ] </div>"); 
         exit; 
       }


    The thing is at the moment someone with bad intention can put mischievous content into the fields of this form and all I want to do is SANITIZE the input basically for SECURITY reasons.

    For example I have input this line of text into one of the form fields as a test :

    Code:
    I am going to hack your site, hahaha!
    	<script type='text/javascript'>
    	window.location = 'http://www.example.com/'
    	</script>';
    and it sends the user who input the information off to another site - which isn't what I want !

    So basically I'm looking to strip any tags etc,.. that might be bad intentions.

    Have i explained it enough for you ? sorry I'm a newbie ..

    Many thanks

  6. #6
    SitePoint Enthusiast
    Join Date
    Oct 2008
    Location
    LONDON,UK
    Posts
    64
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    uh oh..
    should i put the htmlentities function actually in the .html form file ?

    please help ?!

    NO JUST TRIED THAT AND IT DOESN'T WORK EITHER

  7. #7
    SitePoint Mentor bronze trophy
    John_Betong's Avatar
    Join Date
    Aug 2005
    Location
    City of Angels
    Posts
    1,838
    Mentioned
    73 Post(s)
    Tagged
    6 Thread(s)
    @newhere

    I am unable to reproduce the problem that you provided.

    I have just tried the sample text input both locally and online (Johns-Jokes.com) and it does not "send the user off to another site"?

    Here is the code that I used locally for testing:
    PHP Code:

        <form action="/search_form" method="post">
         
          <fieldset class='max_width bgs cgs '>
            <label><i>Top Three Jokes and funny pictures</i></label> 
            <label><code class='tar' style='color:#fc9; width:2em; margin-left:15em' ><?php echo $id_day;?></code></label> 
            
            <input
                type  = "submit"
                name  = "search"
                value = 'go' 
                class = "flr"
                style = 'margin-right:1.42em'
            />
            <input
                title   = "search jokes"
                type    = "text"
                name    = "filter"
                value   = ""
                size    = "28"
                class   = "flr"
            />
          </fieldset>
        </form>


    // Sample Input
    /*
        I am going to hack your site, hahaha!
        <script type='text/javascript'>
          window.location = 'http://www.example.com/'
        </script>';    
    */

    // text received
      echo '<pre>';
        print_r($_POST);
       var_dump($_POST);
      echo '</pre>';
      die;

    // output
    Array
    (
        [search] => go
        [filter] =>     I am going to hack your site, hahaha!     ';    
    )
    array(2) {
      ["search"]=>
      string(2) "go"
      ["filter"]=>
      string(144) "    I am going to hack your site, hahaha!     ';    "
    }

    //
    Please supply a another sample script hat I can test.
    Learn how to be ready for The New Move to Discourse

    How to make Make Money Now with a *NEW* look

    Be sure to congratulate Patche on earning Member of the Month for July 2014

  8. #8
    SitePoint Enthusiast
    Join Date
    Oct 2008
    Location
    LONDON,UK
    Posts
    64
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Hi John

    not sure I understand your code here. I've copied it all into a file using Dreamweaver and it appears to be missing some php tags ?

    maybe talking at X purposes...i AM a newbie!

    Did you put the whole lot :

    I am going to hack your site, hahaha!
    <script type='text/javascript'>
    window.location = 'http://www.example.com/'
    </script>';

    into an input field ?

    it defo runs the javascript and the user ends up at another site which is what i don't want..
    have tried htmlspecialchars, strip_tags and htmlentities functions..

    Thanks
    newhere

  9. #9
    SitePoint Wizard silver trophybronze trophy Cups's Avatar
    Join Date
    Oct 2006
    Location
    France, deep rural.
    Posts
    6,869
    Mentioned
    17 Post(s)
    Tagged
    1 Thread(s)
    I have not actually put the values in a form and submitted them, but them but this is what I did:

    PHP Code:
    $test "I am going to hack your site, hahaha!
    <script type='text/javascript'>
    window.location = 'http://www.example.com/'
    </script>'"
    ;

    echo 
    htmlentities($test);

    // gives me

    I am going to hack your sitehahaha!
    &
    lt;script type='text/javascript'&gt;
    window.location 'http://www.example.com/'
    &lt;/script&gt;
    htmlentities() is an Escaping mechanism designed to protect the viewer of, say, a webpage from abuse -- as you have described already.

    Escaping is part of the FIEO mantra (Filter Input Escape Output).

    Sanitizing (to me) means taking data and removing anything harmful before passing it on.

    If you are storing the data in a database you have to Escape it using different methods, say mysql_real_escape_string().

    To see what is being put out on a website you have to ideally view the html source code.

    This recent blog post might help, although I have not tested any of what the author said - it seems about right.

  10. #10
    SitePoint Mentor bronze trophy
    John_Betong's Avatar
    Join Date
    Aug 2005
    Location
    City of Angels
    Posts
    1,838
    Mentioned
    73 Post(s)
    Tagged
    6 Thread(s)
    @newhere

    Yes I input the whole Javascript and there was not a problem.

    >>> I've copied it all into a file using Dreamweaver and it appears to be missing some php tags ?

    Sorry about that, I rely too much on my editor to show me the errors. Here is the amended script.

    PHP Code:

        <form action="/search_form" method="post"> 
          
          <fieldset class='max_width bgs cgs '> 
            <label><i>Top Three Jokes and funny pictures</i></label>  
            <label><code class='tar' style='color:#fc9; width:2em; margin-left:15em' ><?php echo '$id_day';?></code></label>  
             
            <input 
                type  = "submit" 
                name  = "search" 
                value = 'go'  
                class = "flr" 
                style = 'margin-right:1.42em' 
            /> 
            <input 
                title   = "search jokes" 
                type    = "text" 
                name    = "filter" 
                value   = "" 
                size    = "28" 
                class   = "flr" 
            /> 
          </fieldset> 
        </form> 


    <?php // ADDED THIS LINE

    // Sample Input 
    /* 
        I am going to hack your site, hahaha! 
        <script type='text/javascript'> 
          window.location = 'http://www.example.com/' 
        </script>';     
    */ 

    // text received 
      
    echo '<pre>'
        
    print_r($_POST); 
       
    var_dump($_POST); 
      echo 
    '</pre>'
      die; 

    // output 
    Array 

        [
    search] => go 
        
    [filter] =>     I am going to hack your sitehahaha!     ';     

    array(2) { 
      ["search"]=> 
      string(2) "go" 
      ["filter"]=> 
      string(144) "    I am going to hack your site, hahaha!     '
    ;    


    //
    Learn how to be ready for The New Move to Discourse

    How to make Make Money Now with a *NEW* look

    Be sure to congratulate Patche on earning Member of the Month for July 2014


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •