Webmaster-Talk.com > Coding Talk > PHP Forum > php encoding

Reply
php encoding
Old 11-24-2004, 11:22 AM php encoding
Novice Talker

Posts: 7
Talkupation: live-undead is on a distinguished road
Basically when you submit some text to the database with html in it, the html is processed.

For security reasons how can i make sure that html tags and such are not processed?

i think there is something in asp like an encode function, is there a php version of this?
live-undead is offline
Reply With Quote
View Public Profile
 
When You Register, These Ads Go Away!
Old 11-24-2004, 11:34 AM
Republikin's Avatar
Super Moderator

Posts: 3,191
Talkupation: Republikin is a splendid one to beholdRepublikin is a splendid one to beholdRepublikin is a splendid one to beholdRepublikin is a splendid one to beholdRepublikin is a splendid one to beholdRepublikin is a splendid one to beholdRepublikin is a splendid one to behold
addslashes()

When returning data use...

stripslashes()

What this does is inserts an escaping character around anything that could break the code. In addition, if you use htmlspecialchars() that will turn special characters like non-breaking spaces into their character equivalent.
Republikin is offline
Reply With Quote
View Public Profile
 
Old 11-24-2004, 12:59 PM
Gary_Pinkett's Avatar
Junior Talker

Posts: 4
Talkupation: Gary_Pinkett is on a distinguished road
The addslashes and stripslashes commands should never be forgotten, of course. But take a gander at these funtions to strip out only certain HTML tags (or attributes) from a variable, handy to limit the amount of HTML a user can post...

Code:
// ------------------------------------------------------------------------------------------------
function view_safe($variable) {
$variable = removeEvilTags($variable);
$variable = removeEvilAttributes($variable);
return $variable;
}
// ------------------------------------------------------------------------------------------------
function removeEvilAttributes($tagSource, $strip_attribs="onmouseover|onmouseout|onclick|ondblclick|onmousedown|onmousemove|onkeypress|onkeydown|onkeyup")
{
$stripAttrib = "' ($strip_attribs)=\"(.*?)\"'i";
$tagSource = stripslashes($tagSource);
$tagSource = preg_replace($stripAttrib, '', $tagSource);
return $tagSource;
}
// ------------------------------------------------------------------------------------------------
function removeEvilTags($source, $allowed_tags="<a><br><b><h1><h2><h3><h4><i><em><img><p><strong><u><ul><font>")
{
$source = strip_tags($source, $allowed_tags);
return preg_replace('/<(.*?)>/ie', "'<'.removeEvilAttributes('\\1').'>'", $source);
}
Passing the $allowed_tags and $strip_attribs is optionable, unless you wish to change the default tags and attributes. An example snippet of it in use could be...

Code:
foreach( $_POST as $k => $v ) {
echo(view_safe($v));
}
Gary_Pinkett is offline
Reply With Quote
View Public Profile Visit Gary_Pinkett's homepage!
 
Reply     « Reply to php encoding
 
Previous Thread | Next Thread Webmaster-Talk.com > Coding Talk > PHP Forum > php encoding

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Webmaster Resources Marketplace:
Software Development Company | Webhosting.UK.com
Web Templates | Text Link Brokers | Stock Photos


   
RSS Feed  Feeds: RSS   JS   XML
RSS Feed  Feeds for this forum: RSS   JS   XML

 


Page generated in 0.11409 seconds with 12 queries