strip_tags

[garry]

Just a quick question,

 

I'm currently sanitizing all user input by using the strip_tags function to remove tags. But, now that I've installed the TinyMCE editor, I want certain tags to be allowed. How can I strip all tags BUT a list that I specify? I'm sure there's a way to do it but can't find out how

 

Thanks!

[BlueSkyIS]

http://us.php.net/strip_tags

 

string strip_tags ( string $str [, string $allowable_tags ] )

 

[garry]

Okay can you help me improve my function to work properly please?

 

If I type: "<b>text text text</b>p>some text here</p>

 

I get the following output:

 

<b>blah blah blah</b>

<p><p>some text here</p></p>

 

Here is the function I'm using to clean the code:

 

<?php
function clean($var)
{
	if (get_magic_quotes_gpc()) {
		$var = stripslashes($var);
		}
	else {
		$var = $var;
		}

	$var = mysql_real_escape_string($var);

	$var = strip_tags($var, '<b>,<p>');

	$var = htmlentities($var);



	return $var;
}
?>

 

Can anyone help?

[minidak03]

Your function does some strange things for instance why are you using

 

$var = mysql_real_escape_string($var);

 

That should only be used to insert data into a database if you are just cleaning out HTML just use the following

 

$var = strip_tags($var, '<b>,<p>');

 

However your getting things like < because of the line

 

$var = htmlentities($var);

 

Also your string

 

"text text textp>some text here</p>

 

Should not return everything between the paragraph tags because its improperly formatted

[garry]

I am escaping the data because i AM adding it to the database. And I did have the the <p> formatted properly, I just quickly retyped it here and must have missed that.

 

Can you please help me fix this function?

[anon4104]

Garry,

 

Minidak03 just told you how to fix it. If you are looking for someone to write the code out for you, you've come to the wrong place.

[minidak03]

I'll write it out for you if your just protecting user insertion into the database then just do this

 

<?php
function clean($var)
{
	$var = mysql_real_escape_string($var);
	return $var;
}
?>

 

however if your not putting it into the database and just want to display PHP Code on a PHP page without the Code being fired but displayed instead then do this

 

 

<?php
function clean($var)
{
	$var = htmlentities($var);
	return $var;
}
?>

 

If you want to first strip out the required HTML tags and then protect the info for insertion into the database then do this

 

<?php
function clean($var)
{
	$var = strip_tags($var, '<b>,<p>');
                $var = mysql_real_escape_string($var);
	return $var;
}
?>

 

I hope that helps a bit more.

[garry]

No, my question still stands "anon".

 

And I am not asking anybody to write the code for me, I already have written my own function to clean. I'm just asking for someone to look over it and help me see what is wrong with it.

 

Your rude post wasn't a lot of help either.

[garry]

Thanks for your help minidak but this has still not fixed my problem.

 

I have already written a function to sanitize user input and to prevent sql injection as I am inserting this data into a database (hence the mysql_real_escape_string). What I'm trying to figure out is how to have all html be stripped except for the specific tags that I allow. Even after using the code I posted above, I still get this:

 

<p><b> a description goes here </b></p> <p><p> some other text goes here </p></p>

 

There is something wrong in this function, that isn't making the tags i specifically entered work:

 

function clean($var)

{

if (get_magic_quotes_gpc()) {

$var = stripslashes($var);

}

else {

$var = $var;

}

 

$AllowedTags = array("a", "b", "blink", "blockquote", "br", "caption", "center", "col", "colgroup", "comment",

                      "em", "font", "h1", "h2", "h3", "h4", "h5", "h6", "hr", "img", "li", "marquee", "ol", "p", "pre", "s",

                      "small", "span", "strike", "strong", "sub", "sup", "table", "tbody", "td", "tfoot", "th",

                      "thead", "tr", "tt", "u", "ul");

 

$var = mysql_real_escape_string($var);

 

$var = strip_tags($var, '<b>,<p>');

 

$var = htmlentities($var);

 

return $var;

}

 

 

[minidak03]

Based upon your last post your issue is with this line

 

$var = htmlentities($var);

 

That will not make your tags work, that will disable them and just display them as standard TEXT and not HTML elements so when the page gets rendered it will look like this

<b>

and not like this BOLD

[minidak03]

I also want to say that if you want the allowed HTML to render as in making something bold then you don't even need this line

 

$var = htmlentities($var);

[garry]

I was advised to put that line previously for some security reason so that's why it there.

 

But even after removing this line, the problem still remains

 

I get this output:

 

<b>some title</b>

<p>some description</p>

 

It doesn't actually render the tags, just prints them.

[minidak03]

Try this it should be all you need because using $var = htmlentities($var); will make all your HTML render as text and not HTML and there is no reason why that would be a security concern unless they are inserting JavaScript into the page but thats a whole nother story

 

function clean($var)
{		
  $var = strip_tags($var, '<b>,<p>');	
$var = mysql_real_escape_string($var);

return $var;
}

 

EDIT: Also note that you will get an error if mysql_real_escape_string($var); is used before the database connection is made.

[minidak03]

Hang on one second when the data is being taken out of the database you may have to use stripslashes() function as well that may be your issue as well because the source may become <p/> or something like that.

[garry]

Looks like it's working now! Thanks a lot for your help!

[anon4104]

No, my question still stands "anon".

 

And I am not asking anybody to write the code for me, I already have written my own function to clean. I'm just asking for someone to look over it and help me see what is wrong with it.

 

Your rude post wasn't a lot of help either.

 

My post, "garry", was not meant to be rude. I was merely pointing out that he had already answered your question (in regards to your comment: "Can you please help me fix this function?"). I apologize for the misunderstanding. Glad to see your problem has been solved.

 

Cheers.

[garry]

No hard feelings anon, I was just saying that I wasn't trying to ask anybody to "do it for me", I was simply asking for help to solve a question that I had so I could learn from it (I'm new to PHP).

 

But I've had to change the status to not solved as I had some more problems. Because I've had to remove the htmlentities function from my cleaning function, this means that characters such as $, & and ; will display incorrectly, am I correct?

 

And also, I needed some help with a query I was making. I am trying to use user supplied data to insert into two separate tables in one database but the second table that is inserted into needs to get information from the first table that was inserted from (the new id created) Here's an example of the code:

 

$album = clean_full($_POST['album']);
$artistid = $_POST['artist'];
$year = (int)($_POST['year']);
$review =  clean_body($_POST['review']);
$user_id = $_SESSION['user_id'];

$query = "INSERT
		  INTO albums
		  SET
		  	id = '', // This id will auto-increment in the database but I need to get the number it is assigned
			artist_id = '$artistid',
			title = '$album',
			year = '$year',
			user_id = '$user_id',
			created_at = NOW()
		 ";

$query1 = "INSERT
		  INTO reviews
		  SET
		  	id = '',
			artist_id = '$artistid',
			album_id = '?WHERE DO I GET THIS?', // I need to get the id from the previous insert and place it here
			body = '$review',
			user_id = '$user_id',
			created_at = NOW()
		 ";

$result = mysql_query($query);

 

I would really appreciate any help

[garry]

bump?

[garry]

anyone?