Jump to content

[SOLVED] Less than & greater than signs in php output

dubson

By dubson
in PHP Coding Help

 Share

Recommended Posts

dubson Newbie

dubson

Posted
Posted

I have this code for a comment/blog page, and I want to include the ability to use < and > signs so smilies, links etc can be used in the blog/comments.

 

Here's the code: 

<?php
if (isset($_POST['message']))
{
if (isset($_SESSION['token']) && $_POST['token'] == $_SESSION['token'])
{
$message = nl2br(htmlentities($_POST['subject']));
$message = nl2br(htmlentities($_POST['message']));

$fp = fopen('blog.php', 'a');
fwrite($fp, "<h1><p>$subject</p>$message</h1>");
fclose($fp);
}
}

$token = md5(uniqid(rand(), true));
$_SESSION['token'] = $token;

?>

Post a blog, Dub.
<form method="POST" name="comments">
<input type="hidden" name="token" value="<?php echo $token;?>" />
<input type="text" name="subject" width="200px"><br />
<textarea name="message" cols="50" rows="15"></textarea><br />
<input type="submit" value="Submit">
</form>
<?php

readfile('blog.php');

?>

 

I think I saw somewhere whilst researching 'htmlspecialchars' would that be the direction I should look in?

 

Thanks in advance for any help, if possible just show me where to put what because I'm quite new to this game :D

 

thanks

dubson

Link to comment
Share on other sites
aseaofflames Newbie

aseaofflames

Posted
Posted

htmlspecialchars converts < and > to < and >

 

i think you would want to use preg_match

 

example for links:

 

$v = preg_match('#\<url\>(.*?)\</url\>#msi',$text,$im);  //finds first match of <url>something</url> in $text
$text = str_replace($im[0],"<a href='".$im[1]."' target='_blank'>",$text); //replaces <url>something</url> with <a href="something" target="_blank">

 

this would change <url>http://www.google.com</url> to 

<a href="http://www.google.com" target="_blank">

 

Link to comment
Share on other sites
aseaofflames Newbie

aseaofflames

Posted
Posted

what you might want to do is create a function that parses all the text:

 

function create_links($text) {
$v = 1;
   while $v==1 {
$v = preg_match('#\<url\>(.*?)\</url\>#msi',$text,$im);  //finds first match of <url>something</url> in $text
$text = str_replace($im[0],"<a href='".$im[1]."' target='_blank'>",$text); //replaces <url>something</url> with <a href="something" target="_blank">
}

return $text;
}

 

i haven't tested that but put it near the top of your code

 

call using:

 

$message = create_links($message);

 

$message is the text from your database.

 

Link to comment
Share on other sites
dubson Newbie

dubson

Posted
  • Author
Posted

Parse error: parse error, unexpected T_VARIABLE, expecting '(' in /home/www/baselinedesign.freehostia.com/admin/blogger/index.php on line 26

 

Line 26 is 

$v = preg_match('#\<url\>(.*?)\</url\>#msi',$text,$im);  //finds first match of <url>something</url> in $text

 

What should I do? Remember I'm new to php.

 

And the script doesn't use a database, by the way.

Link to comment
Share on other sites
dubson Newbie

dubson

Posted
  • Author
Posted

It doesn't work for me for some reason, I still see the < > signs in the output. Did i put the code n the right places?

 

<?php
function create_links($text) {
$v = 1;
while ($v==1) {
$v = preg_match('#\<url\>(.*?)\</url\>#msi',$text,$im);  //finds first match of <url>something</url> in $text
$text = str_replace($im[0],"<a href='".$im[1]."' target='_blank'>",$text); //replaces <url>something</url> with <a href="something" target="_blank">
}

return $text;
}
if (isset($_POST['message']))
{
if (isset($_SESSION['token']) && $_POST['token'] == $_SESSION['token'])
{
$message = create_links($message);
$message = nl2br(htmlentities($_POST['subject']));
$message = nl2br(htmlentities($_POST['message']));

$fp = fopen('blog.php', 'a');
fwrite($fp, "<h1><p>$subject</p>$message</h1>");
fclose($fp);
}
}

$token = md5(uniqid(rand(), true));
$_SESSION['token'] = $token;

?>

Post a blog, Dub.
<form method="POST" name="comments">
<input type="hidden" name="token" value="<?php echo $token;?>" />
<input type="text" name="subject" width="200px"><br />
<textarea name="message" cols="50" rows="15"></textarea><br />
<input type="submit" value="Submit">
</form>
<?php

readfile('blog.php');

?>

 

And I'm not sure if the code is exactly what I'm after, although it would work for URL's, would it work for:

<img src="images/blah.jpg"></img>

?

Link to comment
Share on other sites
aseaofflames Newbie

aseaofflames

Posted
Posted 

$message = create_links($message);

 

should be after

 

$message = nl2br(htmlentities($_POST['subject']));
$message = nl2br(htmlentities($_POST['message']));

 

to make it also work for images change the function to:

function create_links($text) {
$v = 1;
while ($v==1 || $w==1) {
$v = preg_match('#\<url\>(.*?)\</url\>#msi',$text,$im);  //finds first match of <url>something</url> in $text
$v = preg_match('#\<img\>(.*?)\</img\>#msi',$text,$img);
$text = str_replace($im[0],"<a href='".$im[1]."' target='_blank'>",$text); //replaces <url>something</url> with <a href="something" target="_blank">
$text = str_replace($img[0],"<a href='".$img[1]."' target='_blank'>",$text);
}

return $text;
}

 

you might want to change the variable the subject goes into because right now $message = the subject, but then is changed to the message.

Link to comment
Share on other sites
dubson Newbie

dubson

Posted
  • Author
Posted

It still doesn't work for me, I'll give the variable a change later today and try again though.

 

I really don't want to sound rde, but surely there's a simpler way of making sure < appears in the output as < and not as <. It's done with nl2br, isn't there a counterpart for the < and > characters?

 

If there isn't, I'll keep working on this :D

Link to comment
Share on other sites
Vizor Newbie

Vizor

Posted
Posted

You need to encode <  and > or at least handle them in some way else your script is ripe for exploitation, if you want the user to see < and > in the page then they must be encoded to < and > respectively, if you want to create hyperlinks then they are left as < and > in the source.

Link to comment
Share on other sites
dubson Newbie

dubson

Posted
  • Author
Posted

By ripe for exploitation, do you mean that by allowing < & > anyone could use the form to post malicious code to my website? I don't think that would be a problem as you have to login to get to the post-a-blog page. I'm not bothered about including the link/image option in the actual comment page.

 

 

Link to comment
Share on other sites
dubson Newbie

dubson

Posted
  • Author
Posted

Ok, after a random Google search I saw someone say that 'htmlentities' is to encode < & >. I knew that this was in my code, so I removed it and the effect was exactly what I wanted.

 

Now that that is over, there's another small problem. Every time a " (quote mark) is blogged it's preceded by a backward slash. Should I start a new thread for this or keep this one going?

Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.