[SOLVED] How to use strip tags?

[cs.punk]

I got the following code :

$username = strip_tags($_POST['username']);
   $password = strip_tags($_POST['password']);
   $email = strip_tags($_POST['email']);
   
   $username = strip_tags($username,"<i></i>");
   $password = strip_tags($password);
   $email = strip_tags($email);

 

But when I later put each varible into the database, it still shows up with <h1> if I type it...

[Zane]

gonna have to show more code than that..

obviously it happens when you put it in the database....so.....show that code preferably

[cs.punk]

<?php
if (isset($_SESSION['user']))
{echo "<p align=\"center\" class=\"paragraph\">You are already logged in. Do you maybe want to log        out? If so <a href=\"logout\">click here.</a>";
}
else
{if (isset ($_POST['username']) && ($_POST['password']) && ($_POST['email']) )
  {$username = strip_tags($_POST['username']);
   $password = strip_tags($_POST['password']);
   $email = strip_tags($_POST['email']);
   
   $username = strip_tags($username,"<i></i>");
   $password = strip_tags($password);
   $email = strip_tags($email);
  
   $con = mysqli_connect ("$dbhost","$dbuser","$dbpass","$dbname")
          or die ("Couldn't connect to server");

   $sql = "INSERT INTO users (username, password, email)
	  VALUES
	  ('$_POST[username]', '$_POST[password]', '$_POST[email]')";
   mysqli_query($con,$sql);

   echo "Congratulations you have sucsessfully registered you can now login!";
}

[kenrbnsn]

You're inserting the unmodified values in $_POST.

 

Change:

<?php
   $sql = "INSERT INTO users (username, password, email)
	  VALUES
	  ('$_POST[username]', '$_POST[password]', '$_POST[email]')";
?>

to

<?php
   $sql = "INSERT INTO users (username, password, email)
	  VALUES
	  ('$username', '$password', '$email')";
?>

 

You should also use mysql_real_escape_string on those values also:

<?php
   $username = mysql_real_escape_string(strip_tags($_POST['username']));
   $password = mysql_real_escape_string(strip_tags($_POST['password']));
   $email = mysql_real_escape_string(strip_tags($_POST['email']));
?>

 

Also, you're "if" statement is wrong. It should be:

<?php
if (isset($_POST['username']) && isset($_POST['password']) && isset($_POST['email']))
?>

 

 

Ken

[charleshill]

Well for one... You don't need to put closing tags in the second argument for strip_tags. So you can leave out </i>

 

Second, this is not related to your question, but..... You should use htmlspecialchars and mysql_real_escape_string on any text strings you plan on inserting into your database. Someone could easily use a register form with that code you posted to inject anything they want into your database.

 

edit-- Ya ken found it

[cs.punk]

:)Sorry I was under the impression that the actual $_POST['username'] would be MODIFIED by it. Thanks for that And with the ,"<i></i>" i was just seeing if there would be a difference lol.

 

Thanks allot zanus, kenrbnsn and charleshill!

[cs.punk]

Using strip_tags, mysql_real_escape_string you could still use a word like OR which would be sent as a SQL query... How does one stop that from happening?

[MasterACE14]

those functions don't change the query.

[Zane]

Here's a good tutorial on securing your SQL queries

http://forum.codecall.net/security-tutorials/4422-php-sql-injections.html

[cs.punk]

I noticed that dollar signs are not escaped.... What if one were to register with a username as $password ?... i noticed it does not show the contents, it displays the actual $password