betazoid Posted September 10, 2008 Share Posted September 10, 2008 Im new to php, writing my first major works. I have a test page, called form.php which sends to process.php, on process php is an include to functions.php where i have written 2 functions. I was reading about php security, and want to make sure when people enter items onto my page it cant do anything bad. But this is weird, <?PHP function clean_text($string) { $string = htmlspecialchars($string); <<< works fine, strips out all html code. $string = strip_tags($string); <<< is totally ignored dont know why. // $string = strip_tags($string); <<< is a comment so nothing expected. $string = trim($string); <<< strips leading and following spaces - totally ignored return $string; <<< returns the correct string based only on the first line } function chk_webs($urlcheck) { // BAD URL submission blocking. $urlcheck = ereg_replace("@"," ",$urlcheck); <<< works, echo $urlcheck; <<< works echo "this function is working"; <<< works $webcleaned = $urlcheck; <<< is totally ignored return $webcleaned; <<< returns NULL } ?> I dont know why only the first line of the first function works, 3 lines in the second function work, and then the last bit is returning nothing at all In the first one, string is returned as $string, it sends back the data without any problems to the process.php and is echo'd as $string The second function, does nothing, so i added the echo lines merely to try and follow where the code was going wrong, or right. I dont understand why the functions only process the first lines or such - it appears random, when i do the code on the main process page, it works perfectly, each bit is done in turn, but when i include functions.php then things only go from bad to totally lost lol. What im asking is how should the functions be structured, just so i can understand where ive gone wrong, i dont actually need a lump of code itself just need the method Quote Link to comment https://forums.phpfreaks.com/topic/123615-function-problem/ Share on other sites More sharing options...
Maq Posted September 10, 2008 Share Posted September 10, 2008 In your second function echo out $webcleaned and see if anything is there. You should also initialize $webcleaned at the beginning of your function. function chk_webs($urlcheck) { $webcleaned = ""; // BAD URL submission blocking. $urlcheck = ereg_replace("@"," ",$urlcheck); echo $urlcheck; echo "this function is working"; $webcleaned = $urlcheck; echo '$webcleaned: ' . $webcleaned; return $webcleaned; } Quote Link to comment https://forums.phpfreaks.com/topic/123615-function-problem/#findComment-638402 Share on other sites More sharing options...
lanmonkey Posted September 10, 2008 Share Posted September 10, 2008 Right, the reason your top function isnt working right is th eorde ryou have things in. for a start the htmlentities() function converts certain dangerous characters to thier html entity equivalent so "<" becomes "<" and ">" becomes ">". this is why the strip tags are isnt doing anything because all tags have been changed from somthing liek this: "<script>" to this: "<script>". I would do the following: function clean_text($string) { return htmlentities(strip_tags(trim($string))); } so the order is: trim striptags htmlentities TBH I probably wouldnt use strip_tags But why? well, htmlentities() will make your HTML safe to display in the browser reguardless of if theres tags in there or not, and if you leave the tags in then you will be able to see what people are trying to do. Quote Link to comment https://forums.phpfreaks.com/topic/123615-function-problem/#findComment-638411 Share on other sites More sharing options...
betazoid Posted September 11, 2008 Author Share Posted September 11, 2008 Thanks guys @Maq when i tried to echo the webcleaned string it didnt echo, it does print the value of $webcleaned in the function, when i changed it to your method it did show the string without the @ but the php after on the process php still echoed $urlcheck as with the @ and $webcleaned as blank @ian, Thanks I see what you mean by the order of things, I probably read too much into security lol, and using both is likely a bit of overkill but what im hoping is to build it up so sometimes people might really write "2 < 3 and 3 > 1" or like on here where they add code in a post as such, hence specialchars did that, then i was hoping that strip tags could get rid of things like javascript(), the method you gave works, the leading spaces get chopped off too, I added that because sometimes when a user clicks copy on a webpage it copies the text, but also a bit of leading spaces, typically if they just cut and past things in textfields, but i dont think im using the best method to achieve that. Quote Link to comment https://forums.phpfreaks.com/topic/123615-function-problem/#findComment-639432 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.