...

View Full Version : Strip Html Entities



xxcorrosionxx
09-11-2011, 07:57 PM
Hey i need some help striping this so people can stop inserting meta refresh tags lol:


$fname = clean($_POST['fname']);
$lname = clean($_POST['lname']);
$login = clean($_POST['login']);
$SiteID = clean($_POST['SiteID']);
$Age = clean($_POST['Age']);
$Url = clean($_POST['Url']);
$realname = clean($_POST['realname']);
$exitmessage = clean($_POST['exitmessage']);
$comments = clean($_POST['comments']);
$password = clean($_POST['password']);
$cpassword = clean($_POST['cpassword']);

Where exactly would i strip this? I mean i am using a clean function someone give me an example please? Thank you in advanced leet coders!

perpl3x3d
09-11-2011, 08:00 PM
Any way you can post your clean function?

xxcorrosionxx
09-11-2011, 08:11 PM
Register-exec.php


<?php
//Start session
session_start();

//Include database connection details
require_once('config.php');

//Array to store validation errors
$errmsg_arr = array();

//Validation error flag
$errflag = false;

//Connect to mysql server
$link = mysql_connect(DB_HOST, DB_USER, DB_PASSWORD);
if(!$link) {
die('Failed to connect to server: ' . mysql_error());
}

//Select database
$db = mysql_select_db(DB_DATABASE);
if(!$db) {
die("Unable to select database");
}

//Function to sanitize values received from the form. Prevents SQL injection
function clean($str) {
$str = @trim($str);
if(get_magic_quotes_gpc()) {
$str = stripslashes($str);
}
return mysql_real_escape_string($str);
}

//Sanitize the POST values
$fname = clean($_POST['fname']);
$lname = clean($_POST['lname']);
$SiteID = clean($_POST['SiteID']);
$Age = clean($_POST['Age']);
$Url = clean($_POST['Url']);
$realname = clean($_POST['realname']);
$exitmessage = clean($_POST['exitmessage']);
$comments = clean($_POST['comments']);
$password = clean($_POST['password']);
$cpassword = clean($_POST['cpassword']);
$remoteAddress = $_SERVER["REMOTE_ADDR"];
$str = trim(strip_tags($str));

//Input Validations
if($fname == '') {
$errmsg_arr[] = 'First name missing';
$errflag = true;
}
if($lname == '') {
$errmsg_arr[] = 'Last name missing';
$errflag = true;
}
if($login == '') {
$errmsg_arr[] = 'Login ID missing';
$errflag = true;
}
if($SiteID == '') {
$errmsg_arr[] = 'Site ID missing';
$errflag = true;
}
if($Age == '') {
$errmsg_arr[] = 'Age missing';
$errflag = true;
}
if($Url == '') {
$errmsg_arr[] = 'Url missing';
$errflag = true;
}
if($exitmessage == '') {
$errmsg_arr[] = 'Exit Message missing';
$errflag = true;
}
if($comments == '') {
$errmsg_arr[] = 'Comments missing';
$errflag = true;
}
if($realname == '') {
$errmsg_arr[] = 'Real Name missing';
$errflag = true;
}
if($password == '') {
$errmsg_arr[] = 'Password missing';
$errflag = true;
}
if($cpassword == '') {
$errmsg_arr[] = 'Confirm password missing';
$errflag = true;
}
if( strcmp($password, $cpassword) != 0 ) {
$errmsg_arr[] = 'Passwords do not match';
$errflag = true;
}

//Check for duplicate login ID
if($login != '') {
$qry = "SELECT * FROM members WHERE login='$login'";
$result = mysql_query($qry);
if($result) {
if(mysql_num_rows($result) > 0) {
$errmsg_arr[] = 'Login ID already in use';
$errflag = true;
}
@mysql_free_result($result);
}
else {
die("Query failed");
}
}

//If there are input validations, redirect back to the registration form
if($errflag) {
$_SESSION['ERRMSG_ARR'] = $errmsg_arr;
session_write_close();
header("location: register.php");
exit();
}

//Create INSERT query
$qry = "INSERT INTO members(firstname, lastname, login, SiteID, Age, Url, exitmessage, comments, realname, passwd) VALUES('$fname','$lname','$login','$SiteID','$Age','$Url','$exitmessage','$comments','$realname','".md5($_POST['password'])."')";
$result = @mysql_query($qry);

//Check whether the query was successful or not
if($result) {
header("location: success.php");
exit();
}else {
die("Query failed");
}
?>

BluePanther
09-11-2011, 08:50 PM
You could easily add the function to the return statement in the clean function. But, just run the function itself before the item's have been through clean() through all the variables and you'll be fine :)

tangoforce
09-11-2011, 08:52 PM
But its the function you speak of which the op is asking for help with. Not where to put it.

BluePanther
09-11-2011, 08:57 PM
$fname = clean($_POST['fname']);
$lname = clean($_POST['lname']);
$login = clean($_POST['login']);
$SiteID = clean($_POST['SiteID']);
$Age = clean($_POST['Age']);
$Url = clean($_POST['Url']);
$realname = clean($_POST['realname']);
$exitmessage = clean($_POST['exitmessage']);
$comments = clean($_POST['comments']);
$password = clean($_POST['password']);
$cpassword = clean($_POST['cpassword']);

Where exactly would i strip this?
Are you wanting to strip the tags? or use html entities?
Strip tags will remove the tags completely, html entities will replace the tags with special characters that the browser translates to the text version of tags.
strip_tags() for the former, htmlspecialchars() for the latter. Use the function you desire before the clean() function.

xxcorrosionxx
09-11-2011, 08:59 PM
Strip tags completely. I don't want people to sign up under html codes and php codes. And be able to use meta refresh tags. Where do i place these strip tags in my register-exec.php.

tangoforce
09-11-2011, 09:11 PM
Are you wanting to strip the tags? or use html entities?

And you thought you were going blind the other day :D

xxcorrosionxx
09-11-2011, 09:17 PM
Can you tell me here? If you are looking for money i am 16 years old. Lol! I don't have money, i am still living with my mom and dad.

BluePanther
09-11-2011, 09:27 PM
Register-exec.php


<?php

//Function to sanitize values received from the form. Prevents SQL injection
function clean($str) {
$str = @trim($str);
if(get_magic_quotes_gpc()) {
$str = stripslashes($str);
}
return mysql_real_escape_string($str);
}

//Sanitize the POST values
$fname = clean($_POST['fname']);
$lname = clean($_POST['lname']);
$SiteID = clean($_POST['SiteID']);
$Age = clean($_POST['Age']);
$Url = clean($_POST['Url']);
$realname = clean($_POST['realname']);
$exitmessage = clean($_POST['exitmessage']);
$comments = clean($_POST['comments']);
$password = clean($_POST['password']);
$cpassword = clean($_POST['cpassword']);
$remoteAddress = $_SERVER["REMOTE_ADDR"];
$str = trim(strip_tags($str));

Change that to


//Function to sanitize values received from the form. Prevents SQL injection
function clean($str) {
$str = @trim(strip_tags($str));
if(get_magic_quotes_gpc()) {
$str = stripslashes($str);
}
return mysql_real_escape_string($str);
}

//Sanitize the POST values
$fname = clean($_POST['fname']);
$lname = clean($_POST['lname']);
$SiteID = clean($_POST['SiteID']);
$Age = clean($_POST['Age']);
$Url = clean($_POST['Url']);
$realname = clean($_POST['realname']);
$exitmessage = clean($_POST['exitmessage']);
$comments = clean($_POST['comments']);
$password = clean($_POST['password']);
$cpassword = clean($_POST['cpassword']);
$remoteAddress = $_SERVER["REMOTE_ADDR"];


You had placed the strip_tags() in the wrong area :). You were stripping tags from the $str value passed into the function clean(), but doing it outside of the function. The addition amendment above will mean your clean() function will also strip tags :)

And you thought you were going blind the other day :D
haha :P

xxcorrosionxx
09-11-2011, 09:38 PM
So i make it like this?


$fname = $str($_POST['fname']);

BluePanther
09-11-2011, 10:04 PM
no no no no no.

Remove the line $str = trim(strip_tags($str)); from underneath $RemoteAddress = $_SERVER["REMOTE_ADDR"]; and replace the line $str = @trim($str); with $str = @trim(strip_tags($str)); and that's your solution.

$str() is a weird thing to say, $str is a string inside the clean() function. $str is not a function itself, it's a local variable for the clean() function, and is an argument passed into the clean() function.



EZ Archive Ads Plugin for vBulletin Copyright 2006 Computer Help Forum