cs.punk Posted April 2, 2009 Share Posted April 2, 2009 I got the following code : $username = strip_tags($_POST['username']); $password = strip_tags($_POST['password']); $email = strip_tags($_POST['email']); $username = strip_tags($username,"<i></i>"); $password = strip_tags($password); $email = strip_tags($email); But when I later put each varible into the database, it still shows up with <h1> if I type it... Quote Link to comment https://forums.phpfreaks.com/topic/152271-solved-how-to-use-strip-tags/ Share on other sites More sharing options...
Zane Posted April 2, 2009 Share Posted April 2, 2009 gonna have to show more code than that.. obviously it happens when you put it in the database....so.....show that code preferably Quote Link to comment https://forums.phpfreaks.com/topic/152271-solved-how-to-use-strip-tags/#findComment-799658 Share on other sites More sharing options...
cs.punk Posted April 2, 2009 Author Share Posted April 2, 2009 <?php if (isset($_SESSION['user'])) {echo "<p align=\"center\" class=\"paragraph\">You are already logged in. Do you maybe want to log out? If so <a href=\"logout\">click here.</a>"; } else {if (isset ($_POST['username']) && ($_POST['password']) && ($_POST['email']) ) {$username = strip_tags($_POST['username']); $password = strip_tags($_POST['password']); $email = strip_tags($_POST['email']); $username = strip_tags($username,"<i></i>"); $password = strip_tags($password); $email = strip_tags($email); $con = mysqli_connect ("$dbhost","$dbuser","$dbpass","$dbname") or die ("Couldn't connect to server"); $sql = "INSERT INTO users (username, password, email) VALUES ('$_POST[username]', '$_POST[password]', '$_POST[email]')"; mysqli_query($con,$sql); echo "Congratulations you have sucsessfully registered you can now login!"; } Quote Link to comment https://forums.phpfreaks.com/topic/152271-solved-how-to-use-strip-tags/#findComment-799733 Share on other sites More sharing options...
kenrbnsn Posted April 2, 2009 Share Posted April 2, 2009 You're inserting the unmodified values in $_POST. Change: <?php $sql = "INSERT INTO users (username, password, email) VALUES ('$_POST[username]', '$_POST[password]', '$_POST[email]')"; ?> to <?php $sql = "INSERT INTO users (username, password, email) VALUES ('$username', '$password', '$email')"; ?> You should also use mysql_real_escape_string on those values also: <?php $username = mysql_real_escape_string(strip_tags($_POST['username'])); $password = mysql_real_escape_string(strip_tags($_POST['password'])); $email = mysql_real_escape_string(strip_tags($_POST['email'])); ?> Also, you're "if" statement is wrong. It should be: <?php if (isset($_POST['username']) && isset($_POST['password']) && isset($_POST['email'])) ?> Ken Quote Link to comment https://forums.phpfreaks.com/topic/152271-solved-how-to-use-strip-tags/#findComment-799736 Share on other sites More sharing options...
charleshill Posted April 2, 2009 Share Posted April 2, 2009 Well for one... You don't need to put closing tags in the second argument for strip_tags. So you can leave out </i> Second, this is not related to your question, but..... You should use htmlspecialchars and mysql_real_escape_string on any text strings you plan on inserting into your database. Someone could easily use a register form with that code you posted to inject anything they want into your database. edit-- Ya ken found it Quote Link to comment https://forums.phpfreaks.com/topic/152271-solved-how-to-use-strip-tags/#findComment-799737 Share on other sites More sharing options...
cs.punk Posted April 3, 2009 Author Share Posted April 3, 2009 :)Sorry I was under the impression that the actual $_POST['username'] would be MODIFIED by it. Thanks for that And with the ,"<i></i>" i was just seeing if there would be a difference lol. Thanks allot zanus, kenrbnsn and charleshill! Quote Link to comment https://forums.phpfreaks.com/topic/152271-solved-how-to-use-strip-tags/#findComment-800122 Share on other sites More sharing options...
cs.punk Posted April 3, 2009 Author Share Posted April 3, 2009 Using strip_tags, mysql_real_escape_string you could still use a word like OR which would be sent as a SQL query... How does one stop that from happening? Quote Link to comment https://forums.phpfreaks.com/topic/152271-solved-how-to-use-strip-tags/#findComment-800347 Share on other sites More sharing options...
MasterACE14 Posted April 3, 2009 Share Posted April 3, 2009 those functions don't change the query. Quote Link to comment https://forums.phpfreaks.com/topic/152271-solved-how-to-use-strip-tags/#findComment-800351 Share on other sites More sharing options...
Zane Posted April 3, 2009 Share Posted April 3, 2009 Here's a good tutorial on securing your SQL queries http://forum.codecall.net/security-tutorials/4422-php-sql-injections.html Quote Link to comment https://forums.phpfreaks.com/topic/152271-solved-how-to-use-strip-tags/#findComment-800358 Share on other sites More sharing options...
cs.punk Posted April 8, 2009 Author Share Posted April 8, 2009 I noticed that dollar signs are not escaped.... What if one were to register with a username as $password ?... i noticed it does not show the contents, it displays the actual $password Quote Link to comment https://forums.phpfreaks.com/topic/152271-solved-how-to-use-strip-tags/#findComment-804542 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.