Need Help Stripping Tags

Hi.

I started creating a confession type of website where you type into a comment box whatever you want to say, and it gets displayed to another page. I tested it using HTML tags and it looks like it is vulnerable to injections.

I know there must be an easy line of code that you put in somewhere, but I’m having a hard time with that. I have the code shown below, what should I put in it and where?


<?php do { ?>
      <br />
      <p><strong>Confession #</strong><?php echo $row_confess['id']; ?> <strong>at</strong> <?php echo $row_confess['timestamp']; ?></p>
        <p><?php echo $row_confess['confess']; ?></p>

<hr />
        <?php } while ($row_confess = mysql_fetch_assoc($confess)); ?>

Thanks.

Edit: Also, is there a way to allow people to press enter? When I try to press enter to write another paragraph and submit, it won’t display the way I want. It just makes it one paragraph.

About your first question you have two options.
If you want to leave the comment as it was typed and still prevent html injection you can use htmlspecialchars.


echo htmlspecialchars( $row_confess['confess'] ); 

Or, if you want to strip all the html tags from the comment, use strip_tags.


echo strip_tags( $row_confess['confess'] ); 

About your second question, it’s hard to say without seen how you have the rest of your scripts setup. How is the form being used and what is the PHP code that saves the comment like?

The strip_tags one worked thank you :slight_smile:

As for my second question, keep in mind that I’m new with PHP so bear with me. Here’s the code for the comment page:



<?php
if (!function_exists("GetSQLValueString")) {
function GetSQLValueString($theValue, $theType, $theDefinedValue = "", $theNotDefinedValue = "") 
{
  if (PHP_VERSION < 6) {
    $theValue = get_magic_quotes_gpc() ? stripslashes($theValue) : $theValue;
  }

  $theValue = function_exists("mysql_real_escape_string") ? mysql_real_escape_string($theValue) : mysql_escape_string($theValue);

  switch ($theType) {
    case "text":
      $theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL";
      break;    
    case "long":
    case "int":
      $theValue = ($theValue != "") ? intval($theValue) : "NULL";
      break;
    case "double":
      $theValue = ($theValue != "") ? doubleval($theValue) : "NULL";
      break;
    case "date":
      $theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL";
      break;
    case "defined":
      $theValue = ($theValue != "") ? $theDefinedValue : $theNotDefinedValue;
      break;
  }
  return $theValue;
}
}

$editFormAction = $_SERVER['PHP_SELF'];
if (isset($_SERVER['QUERY_STRING'])) {
  $editFormAction .= "?" . htmlentities($_SERVER['QUERY_STRING']);
}

if ((isset($_POST["MM_insert"])) && ($_POST["MM_insert"] == "form1")) {
  $insertSQL = sprintf("INSERT INTO confess (confess) VALUES (%s)",
                       GetSQLValueString($_POST['confess'], "text"));

  mysql_select_db($database_Confession, $Confession);
  $Result1 = mysql_query($insertSQL, $Confession) or die(mysql_error());

  $insertGoTo = "read.php";
  if (isset($_SERVER['QUERY_STRING'])) {
    $insertGoTo .= (strpos($insertGoTo, '?')) ? "&" : "?";
    $insertGoTo .= $_SERVER['QUERY_STRING'];
  }
  header(sprintf("Location: %s", $insertGoTo));
}

mysql_select_db($database_Confession, $Confession);
$query_confess = "SELECT * FROM confess";
$confess = mysql_query($query_confess, $Confession) or die(mysql_error());
$row_confess = mysql_fetch_assoc($confess);
$totalRows_confess = mysql_num_rows($confess);
?>


Or could it be an HTML thing? (Which I doubt):



<p align="center"><strong>What's on your mind?</strong></p>
        <form id="form1" name="form1" method="POST" action="<?php echo $editFormAction; ?>
          <p>
            <label for="confess">
              <textarea name="confess" id="confess" cols="60" rows="8"></textarea>
            </label>
          </p>
          <p>
            <input type="submit" name="confess2" id="confess2" value="Confess" />
          </p>
          <input type="hidden" name="MM_insert" value="form1" />
        </form>


Something like

myTxt.onSetFocus = function() {
	myNewObject = new Object();
	myNewObject.onKeyDown = function() {
		if (Key.isDown(Key.ENTER)) {
			trace("do something");
		}
	};
	Key.addListener(myNewObject);
};

Not that I’m saying that is the exact code but I don’t think you can achieve what you want with PHP, it’d have to be javascript

I got confused there for a second but i think what you mean is to display the text that was submitted in paragraphs instead of just one big block of text.

For that you can use another php function called nl2br.


echo nl2br( strip_tags( $row_confess['confess'] ) ); 

That should do both strip the tags and then convert every new line into a <br /> tag so your text shows up the way it was typed.

Hope that’s what you meant.

I went with the PHP code, but thanks anyway :slight_smile:

That is exactly what I mean, and it worked. Thank you :slight_smile:

result same wordpress tag ??? please tell me.