dubson Posted June 7, 2008 Share Posted June 7, 2008 I have this code for a comment/blog page, and I want to include the ability to use < and > signs so smilies, links etc can be used in the blog/comments. Here's the code: <?php if (isset($_POST['message'])) { if (isset($_SESSION['token']) && $_POST['token'] == $_SESSION['token']) { $message = nl2br(htmlentities($_POST['subject'])); $message = nl2br(htmlentities($_POST['message'])); $fp = fopen('blog.php', 'a'); fwrite($fp, "<h1><p>$subject</p>$message</h1>"); fclose($fp); } } $token = md5(uniqid(rand(), true)); $_SESSION['token'] = $token; ?> Post a blog, Dub. <form method="POST" name="comments"> <input type="hidden" name="token" value="<?php echo $token;?>" /> <input type="text" name="subject" width="200px"><br /> <textarea name="message" cols="50" rows="15"></textarea><br /> <input type="submit" value="Submit"> </form> <?php readfile('blog.php'); ?> I think I saw somewhere whilst researching 'htmlspecialchars' would that be the direction I should look in? Thanks in advance for any help, if possible just show me where to put what because I'm quite new to this game thanks dubson Link to comment https://forums.phpfreaks.com/topic/109137-solved-less-than-greater-than-signs-in-php-output/ Share on other sites More sharing options...
aseaofflames Posted June 7, 2008 Share Posted June 7, 2008 htmlspecialchars converts < and > to < and > i think you would want to use preg_match example for links: $v = preg_match('#\<url\>(.*?)\</url\>#msi',$text,$im); //finds first match of <url>something</url> in $text $text = str_replace($im[0],"<a href='".$im[1]."' target='_blank'>",$text); //replaces <url>something</url> with <a href="something" target="_blank"> this would change <url>http://www.google.com</url> to <a href="http://www.google.com" target="_blank"> Link to comment https://forums.phpfreaks.com/topic/109137-solved-less-than-greater-than-signs-in-php-output/#findComment-559813 Share on other sites More sharing options...
dubson Posted June 7, 2008 Author Share Posted June 7, 2008 I'm not actually sure where to put that in the code, does it just go anywhere within the php tags? Link to comment https://forums.phpfreaks.com/topic/109137-solved-less-than-greater-than-signs-in-php-output/#findComment-559859 Share on other sites More sharing options...
aseaofflames Posted June 9, 2008 Share Posted June 9, 2008 what you might want to do is create a function that parses all the text: function create_links($text) { $v = 1; while $v==1 { $v = preg_match('#\<url\>(.*?)\</url\>#msi',$text,$im); //finds first match of <url>something</url> in $text $text = str_replace($im[0],"<a href='".$im[1]."' target='_blank'>",$text); //replaces <url>something</url> with <a href="something" target="_blank"> } return $text; } i haven't tested that but put it near the top of your code call using: $message = create_links($message); $message is the text from your database. Link to comment https://forums.phpfreaks.com/topic/109137-solved-less-than-greater-than-signs-in-php-output/#findComment-560877 Share on other sites More sharing options...
dubson Posted June 9, 2008 Author Share Posted June 9, 2008 Parse error: parse error, unexpected T_VARIABLE, expecting '(' in /home/www/baselinedesign.freehostia.com/admin/blogger/index.php on line 26 Line 26 is $v = preg_match('#\<url\>(.*?)\</url\>#msi',$text,$im); //finds first match of <url>something</url> in $text What should I do? Remember I'm new to php. And the script doesn't use a database, by the way. Link to comment https://forums.phpfreaks.com/topic/109137-solved-less-than-greater-than-signs-in-php-output/#findComment-560991 Share on other sites More sharing options...
aseaofflames Posted June 9, 2008 Share Posted June 9, 2008 change while $v==1 { to while ($v==1) { Link to comment https://forums.phpfreaks.com/topic/109137-solved-less-than-greater-than-signs-in-php-output/#findComment-561129 Share on other sites More sharing options...
dubson Posted June 9, 2008 Author Share Posted June 9, 2008 It doesn't work for me for some reason, I still see the < > signs in the output. Did i put the code n the right places? <?php function create_links($text) { $v = 1; while ($v==1) { $v = preg_match('#\<url\>(.*?)\</url\>#msi',$text,$im); //finds first match of <url>something</url> in $text $text = str_replace($im[0],"<a href='".$im[1]."' target='_blank'>",$text); //replaces <url>something</url> with <a href="something" target="_blank"> } return $text; } if (isset($_POST['message'])) { if (isset($_SESSION['token']) && $_POST['token'] == $_SESSION['token']) { $message = create_links($message); $message = nl2br(htmlentities($_POST['subject'])); $message = nl2br(htmlentities($_POST['message'])); $fp = fopen('blog.php', 'a'); fwrite($fp, "<h1><p>$subject</p>$message</h1>"); fclose($fp); } } $token = md5(uniqid(rand(), true)); $_SESSION['token'] = $token; ?> Post a blog, Dub. <form method="POST" name="comments"> <input type="hidden" name="token" value="<?php echo $token;?>" /> <input type="text" name="subject" width="200px"><br /> <textarea name="message" cols="50" rows="15"></textarea><br /> <input type="submit" value="Submit"> </form> <?php readfile('blog.php'); ?> And I'm not sure if the code is exactly what I'm after, although it would work for URL's, would it work for: <img src="images/blah.jpg"></img> ? Link to comment https://forums.phpfreaks.com/topic/109137-solved-less-than-greater-than-signs-in-php-output/#findComment-561513 Share on other sites More sharing options...
aseaofflames Posted June 9, 2008 Share Posted June 9, 2008 $message = create_links($message); should be after $message = nl2br(htmlentities($_POST['subject'])); $message = nl2br(htmlentities($_POST['message'])); to make it also work for images change the function to: function create_links($text) { $v = 1; while ($v==1 || $w==1) { $v = preg_match('#\<url\>(.*?)\</url\>#msi',$text,$im); //finds first match of <url>something</url> in $text $v = preg_match('#\<img\>(.*?)\</img\>#msi',$text,$img); $text = str_replace($im[0],"<a href='".$im[1]."' target='_blank'>",$text); //replaces <url>something</url> with <a href="something" target="_blank"> $text = str_replace($img[0],"<a href='".$img[1]."' target='_blank'>",$text); } return $text; } you might want to change the variable the subject goes into because right now $message = the subject, but then is changed to the message. Link to comment https://forums.phpfreaks.com/topic/109137-solved-less-than-greater-than-signs-in-php-output/#findComment-561591 Share on other sites More sharing options...
dubson Posted June 13, 2008 Author Share Posted June 13, 2008 It still doesn't work for me, I'll give the variable a change later today and try again though. I really don't want to sound rde, but surely there's a simpler way of making sure < appears in the output as < and not as <. It's done with nl2br, isn't there a counterpart for the < and > characters? If there isn't, I'll keep working on this Link to comment https://forums.phpfreaks.com/topic/109137-solved-less-than-greater-than-signs-in-php-output/#findComment-564664 Share on other sites More sharing options...
dubson Posted June 13, 2008 Author Share Posted June 13, 2008 Well I tried editing it... but It still doesn't work. If there's no simple answer to my earlier idea of a nl2br counterpart, maybe there is a really simple blog form someone could introduce me to? Link to comment https://forums.phpfreaks.com/topic/109137-solved-less-than-greater-than-signs-in-php-output/#findComment-564675 Share on other sites More sharing options...
Vizor Posted June 13, 2008 Share Posted June 13, 2008 You need to encode < and > or at least handle them in some way else your script is ripe for exploitation, if you want the user to see < and > in the page then they must be encoded to < and > respectively, if you want to create hyperlinks then they are left as < and > in the source. Link to comment https://forums.phpfreaks.com/topic/109137-solved-less-than-greater-than-signs-in-php-output/#findComment-564685 Share on other sites More sharing options...
dubson Posted June 13, 2008 Author Share Posted June 13, 2008 By ripe for exploitation, do you mean that by allowing < & > anyone could use the form to post malicious code to my website? I don't think that would be a problem as you have to login to get to the post-a-blog page. I'm not bothered about including the link/image option in the actual comment page. Link to comment https://forums.phpfreaks.com/topic/109137-solved-less-than-greater-than-signs-in-php-output/#findComment-564706 Share on other sites More sharing options...
dubson Posted June 13, 2008 Author Share Posted June 13, 2008 Ok, after a random Google search I saw someone say that 'htmlentities' is to encode < & >. I knew that this was in my code, so I removed it and the effect was exactly what I wanted. Now that that is over, there's another small problem. Every time a " (quote mark) is blogged it's preceded by a backward slash. Should I start a new thread for this or keep this one going? Link to comment https://forums.phpfreaks.com/topic/109137-solved-less-than-greater-than-signs-in-php-output/#findComment-564714 Share on other sites More sharing options...
BlueSkyIS Posted June 13, 2008 Share Posted June 13, 2008 stripslashes() Link to comment https://forums.phpfreaks.com/topic/109137-solved-less-than-greater-than-signs-in-php-output/#findComment-564758 Share on other sites More sharing options...
dubson Posted June 14, 2008 Author Share Posted June 14, 2008 It's working! Absolutely perfectly, punctuation marks, links, and images all appear as they should. Thanks for all your help guys much appreciated Link to comment https://forums.phpfreaks.com/topic/109137-solved-less-than-greater-than-signs-in-php-output/#findComment-565484 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.