Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 12 of 12
  1. #1
    Regular Coder
    Join Date
    Jan 2011
    Posts
    117
    Thanks
    27
    Thanked 0 Times in 0 Posts

    Netscape Strip Html Entities

    Hey i need some help striping this so people can stop inserting meta refresh tags lol:

    PHP Code:
        $fname clean($_POST['fname']);
        
    $lname clean($_POST['lname']);
        
    $login clean($_POST['login']);
        
    $SiteID clean($_POST['SiteID']);
        
    $Age clean($_POST['Age']);
        
    $Url clean($_POST['Url']);
        
    $realname clean($_POST['realname']);
        
    $exitmessage clean($_POST['exitmessage']);
        
    $comments clean($_POST['comments']);
        
    $password clean($_POST['password']);
        
    $cpassword clean($_POST['cpassword']); 
    Where exactly would i strip this? I mean i am using a clean function someone give me an example please? Thank you in advanced leet coders!

  • #2
    New to the CF scene
    Join Date
    Sep 2011
    Posts
    5
    Thanks
    0
    Thanked 1 Time in 1 Post
    Any way you can post your clean function?

  • Users who have thanked perpl3x3d for this post:

    xxcorrosionxx (09-11-2011)

  • #3
    Regular Coder
    Join Date
    Jan 2011
    Posts
    117
    Thanks
    27
    Thanked 0 Times in 0 Posts

    Thumbs up

    Register-exec.php

    PHP Code:
    <?php
        
    //Start session
        
    session_start();
        
        
    //Include database connection details
        
    require_once('config.php');
        
        
    //Array to store validation errors
        
    $errmsg_arr = array();
        
        
    //Validation error flag
        
    $errflag false;
        
        
    //Connect to mysql server
        
    $link mysql_connect(DB_HOSTDB_USERDB_PASSWORD);
        if(!
    $link) {
            die(
    'Failed to connect to server: ' mysql_error());
        }
        
        
    //Select database
        
    $db mysql_select_db(DB_DATABASE);
        if(!
    $db) {
            die(
    "Unable to select database");
        }
        
     
    //Function to sanitize values received from the form. Prevents SQL injection
        
    function clean($str) {
            
    $str = @trim($str);
            if(
    get_magic_quotes_gpc()) {
                
    $str stripslashes($str);
            }
            return 
    mysql_real_escape_string($str);
        } 
        
        
    //Sanitize the POST values
        
    $fname clean($_POST['fname']);
        
    $lname clean($_POST['lname']);
        
    $SiteID clean($_POST['SiteID']);
        
    $Age clean($_POST['Age']);
        
    $Url clean($_POST['Url']);
        
    $realname clean($_POST['realname']);
        
    $exitmessage clean($_POST['exitmessage']);
        
    $comments clean($_POST['comments']);
        
    $password clean($_POST['password']);
        
    $cpassword clean($_POST['cpassword']);
        
    $remoteAddress  $_SERVER["REMOTE_ADDR"];
        
    $str trim(strip_tags($str));
        
        
    //Input Validations
        
    if($fname == '') {
            
    $errmsg_arr[] = 'First name missing';
            
    $errflag true;
        }
        if(
    $lname == '') {
            
    $errmsg_arr[] = 'Last name missing';
            
    $errflag true;
        }
        if(
    $login == '') {
            
    $errmsg_arr[] = 'Login ID missing';
            
    $errflag true;
        }
        if(
    $SiteID == '') {
            
    $errmsg_arr[] = 'Site ID missing';
            
    $errflag true;
            }
        if(
    $Age == '') {
            
    $errmsg_arr[] = 'Age missing';
            
    $errflag true;
            }
        if(
    $Url == '') {
            
    $errmsg_arr[] = 'Url missing';
            
    $errflag true;
        }
        if(
    $exitmessage == '') {
            
    $errmsg_arr[] = 'Exit Message missing';
            
    $errflag true;
        }
        if(
    $comments == '') {
            
    $errmsg_arr[] = 'Comments missing';
            
    $errflag true;
        }
        if(
    $realname == '') {
            
    $errmsg_arr[] = 'Real Name missing';
            
    $errflag true;
        }
        if(
    $password == '') {
            
    $errmsg_arr[] = 'Password missing';
            
    $errflag true;
        }
        if(
    $cpassword == '') {
            
    $errmsg_arr[] = 'Confirm password missing';
            
    $errflag true;
        }
        if( 
    strcmp($password$cpassword) != ) {
            
    $errmsg_arr[] = 'Passwords do not match';
            
    $errflag true;
        }

        
    //Check for duplicate login ID
        
    if($login != '') {
            
    $qry "SELECT * FROM members WHERE login='$login'";
            
    $result mysql_query($qry);
            if(
    $result) {
                if(
    mysql_num_rows($result) > 0) {
                    
    $errmsg_arr[] = 'Login ID already in use';
                    
    $errflag true;
                }
                @
    mysql_free_result($result);
            }
            else {
                die(
    "Query failed");
            }
        }
        
        
    //If there are input validations, redirect back to the registration form
        
    if($errflag) {
            
    $_SESSION['ERRMSG_ARR'] = $errmsg_arr;
            
    session_write_close();
            
    header("location: register.php");
            exit();
        }

        
    //Create INSERT query
        
    $qry "INSERT INTO members(firstname, lastname, login, SiteID, Age, Url, exitmessage, comments, realname, passwd) VALUES('$fname','$lname','$login','$SiteID','$Age','$Url','$exitmessage','$comments','$realname','".md5($_POST['password'])."')";
        
    $result = @mysql_query($qry);
        
        
    //Check whether the query was successful or not
        
    if($result) {
            
    header("location: success.php");
            exit();
        }else {
            die(
    "Query failed");
        }
    ?>

  • #4
    Senior Coder
    Join Date
    Jul 2011
    Posts
    1,226
    Thanks
    3
    Thanked 171 Times in 171 Posts
    You could easily add the function to the return statement in the clean function. But, just run the function itself before the item's have been through clean() through all the variables and you'll be fine

  • #5
    Senior Coder
    Join Date
    Feb 2011
    Location
    Your Monitor
    Posts
    4,089
    Thanks
    51
    Thanked 506 Times in 493 Posts
    But its the function you speak of which the op is asking for help with. Not where to put it.
    My helpful sig is on vacation trying to loose some weight. It got a bit fat and caused a few problems but it will be back at some point!

  • #6
    Senior Coder
    Join Date
    Jul 2011
    Posts
    1,226
    Thanks
    3
    Thanked 171 Times in 171 Posts
    Quote Originally Posted by xxcorrosionxx View Post
    PHP Code:
        $fname clean($_POST['fname']);
        
    $lname clean($_POST['lname']);
        
    $login clean($_POST['login']);
        
    $SiteID clean($_POST['SiteID']);
        
    $Age clean($_POST['Age']);
        
    $Url clean($_POST['Url']);
        
    $realname clean($_POST['realname']);
        
    $exitmessage clean($_POST['exitmessage']);
        
    $comments clean($_POST['comments']);
        
    $password clean($_POST['password']);
        
    $cpassword clean($_POST['cpassword']); 
    Where exactly would i strip this?
    Are you wanting to strip the tags? or use html entities?
    Strip tags will remove the tags completely, html entities will replace the tags with special characters that the browser translates to the text version of tags.
    strip_tags() for the former, htmlspecialchars() for the latter. Use the function you desire before the clean() function.

  • Users who have thanked BluePanther for this post:

    xxcorrosionxx (09-11-2011)

  • #7
    Regular Coder
    Join Date
    Jan 2011
    Posts
    117
    Thanks
    27
    Thanked 0 Times in 0 Posts
    Strip tags completely. I don't want people to sign up under html codes and php codes. And be able to use meta refresh tags. Where do i place these strip tags in my register-exec.php.

  • #8
    Senior Coder
    Join Date
    Feb 2011
    Location
    Your Monitor
    Posts
    4,089
    Thanks
    51
    Thanked 506 Times in 493 Posts
    Quote Originally Posted by BluePanther View Post
    Are you wanting to strip the tags? or use html entities?
    And you thought you were going blind the other day
    My helpful sig is on vacation trying to loose some weight. It got a bit fat and caused a few problems but it will be back at some point!

  • #9
    Regular Coder
    Join Date
    Jan 2011
    Posts
    117
    Thanks
    27
    Thanked 0 Times in 0 Posts
    Can you tell me here? If you are looking for money i am 16 years old. Lol! I don't have money, i am still living with my mom and dad.

  • #10
    Senior Coder
    Join Date
    Jul 2011
    Posts
    1,226
    Thanks
    3
    Thanked 171 Times in 171 Posts
    Quote Originally Posted by xxcorrosionxx View Post
    Register-exec.php

    PHP Code:
    <?php
            
     
    //Function to sanitize values received from the form. Prevents SQL injection
        
    function clean($str) {
            
    $str = @trim($str);
            if(
    get_magic_quotes_gpc()) {
                
    $str stripslashes($str);
            }
            return 
    mysql_real_escape_string($str);
        } 
        
        
    //Sanitize the POST values
        
    $fname clean($_POST['fname']);
        
    $lname clean($_POST['lname']);
        
    $SiteID clean($_POST['SiteID']);
        
    $Age clean($_POST['Age']);
        
    $Url clean($_POST['Url']);
        
    $realname clean($_POST['realname']);
        
    $exitmessage clean($_POST['exitmessage']);
        
    $comments clean($_POST['comments']);
        
    $password clean($_POST['password']);
        
    $cpassword clean($_POST['cpassword']);
        
    $remoteAddress  $_SERVER["REMOTE_ADDR"];
        
    $str trim(strip_tags($str));
    Change that to
    PHP Code:
    //Function to sanitize values received from the form. Prevents SQL injection
        
    function clean($str) {
            
    $str = @trim(strip_tags($str));
            if(
    get_magic_quotes_gpc()) {
                
    $str stripslashes($str);
            }
            return 
    mysql_real_escape_string($str);
        } 
        
        
    //Sanitize the POST values
        
    $fname clean($_POST['fname']);
        
    $lname clean($_POST['lname']);
        
    $SiteID clean($_POST['SiteID']);
        
    $Age clean($_POST['Age']);
        
    $Url clean($_POST['Url']);
        
    $realname clean($_POST['realname']);
        
    $exitmessage clean($_POST['exitmessage']);
        
    $comments clean($_POST['comments']);
        
    $password clean($_POST['password']);
        
    $cpassword clean($_POST['cpassword']);
        
    $remoteAddress  $_SERVER["REMOTE_ADDR"]; 
    You had placed the strip_tags() in the wrong area . You were stripping tags from the $str value passed into the function clean(), but doing it outside of the function. The addition amendment above will mean your clean() function will also strip tags
    Quote Originally Posted by tangoforce View Post
    And you thought you were going blind the other day
    haha :P

  • #11
    Regular Coder
    Join Date
    Jan 2011
    Posts
    117
    Thanks
    27
    Thanked 0 Times in 0 Posts
    So i make it like this?

    PHP Code:
    $fname $str($_POST['fname']); 

  • #12
    Senior Coder
    Join Date
    Jul 2011
    Posts
    1,226
    Thanks
    3
    Thanked 171 Times in 171 Posts
    no no no no no.

    Remove the line $str = trim(strip_tags($str)); from underneath $RemoteAddress = $_SERVER["REMOTE_ADDR"]; and replace the line $str = @trim($str); with $str = @trim(strip_tags($str)); and that's your solution.

    $str() is a weird thing to say, $str is a string inside the clean() function. $str is not a function itself, it's a local variable for the clean() function, and is an argument passed into the clean() function.


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •