samoi Posted October 24, 2009 Share Posted October 24, 2009 Hello guys! I have a field input called, "subject" for example! now I need to clear all the bad input if there is some because it's going to be stored in the db ! <? $subject0 = $_POST['subject']; $subject1 = preg_replace('/\n/', '<br />', $subject0); // replace new line with <br />! $subject2 = mysql_real_escape_string($subject1); $subject3 = htmlspecialchars($subject2); // insert $subject3 to db! ?> However, <br /> is not applied anymore ! in the preg_replace! I only need behind all this is to secure the inputs, and replace \n with <br />! Any help will be appreciated ! Link to comment https://forums.phpfreaks.com/topic/178876-input-security-please-help/ Share on other sites More sharing options...
mrMarcus Posted October 24, 2009 Share Posted October 24, 2009 i only have 2 seconds here so someone else will assist .. one thing: no need to rename your initial variable ($subject0) over and over again. just use the same one all the way through, this way, you get get yourself mixed up. best to create a function to handle your sanitizing. Link to comment https://forums.phpfreaks.com/topic/178876-input-security-please-help/#findComment-943690 Share on other sites More sharing options...
MySQL_Narb Posted October 24, 2009 Share Posted October 24, 2009 This is the code I use to remove certain text: $before = array('(', ')', '^', '<', '>', '`', '*'); $after = array('', '', '', '', '', '', ''); $output = str_replace($before, $after, $message); Link to comment https://forums.phpfreaks.com/topic/178876-input-security-please-help/#findComment-943692 Share on other sites More sharing options...
Mark Baker Posted October 24, 2009 Share Posted October 24, 2009 Don't change \n to <br> before inserting in the database. The database should be quite happy with \n. Simply use nl2br() when echoing it back to the screen. Link to comment https://forums.phpfreaks.com/topic/178876-input-security-please-help/#findComment-943696 Share on other sites More sharing options...
samoi Posted October 24, 2009 Author Share Posted October 24, 2009 i only have 2 seconds here so someone else will assist .. one thing: no need to rename your initial variable ($subject0) over and over again. just use the same one all the way through, this way, you get get yourself mixed up. best to create a function to handle your sanitizing. Thank you for offering the help! I just want it to be clear a little bit! I wrote a function for the htmlspecialchars() and mysql_real_escape_string() Just like: <? function clean($text){ $cleaned = mysql_real_escape_string($text); $cleaned = htmlspecialchars($cleaned); return $cleaned; } // But still ignores the <br /> applying to the subject! ?> Link to comment https://forums.phpfreaks.com/topic/178876-input-security-please-help/#findComment-943699 Share on other sites More sharing options...
samoi Posted October 24, 2009 Author Share Posted October 24, 2009 This is the code I use to remove certain text: $before = array('(', ')', '^', '<', '>', '`', '*'); $after = array('', '', '', '', '', '', ''); $output = str_replace($before, $after, $message); Thank you, but that would throw away the <br /> tag! Thanks again for helping! Link to comment https://forums.phpfreaks.com/topic/178876-input-security-please-help/#findComment-943700 Share on other sites More sharing options...
samoi Posted October 24, 2009 Author Share Posted October 24, 2009 Don't change \n to <br> before inserting in the database. The database should be quite happy with \n. Simply use nl2br() when echoing it back to the screen. Can you explain alittle ? Thank you anyway Link to comment https://forums.phpfreaks.com/topic/178876-input-security-please-help/#findComment-943702 Share on other sites More sharing options...
samoi Posted October 24, 2009 Author Share Posted October 24, 2009 OK I think I almost got it! nl2br() function ! Is it only specialized in displaying the new line only??? or it will display and thing like \t or whatever else? Link to comment https://forums.phpfreaks.com/topic/178876-input-security-please-help/#findComment-943707 Share on other sites More sharing options...
Mark Baker Posted October 24, 2009 Share Posted October 24, 2009 Is it only specialized in displaying the new line only??? or it will display and thing like \t or whatever else?Only new lines. A browser will render white space tabs, spaces, returns, etc as a single space. nl2br() at least allows you to preserve returns when rendered in the browser. Otherwise, wrapping the output in <pre> tags will preserve all white space Link to comment https://forums.phpfreaks.com/topic/178876-input-security-please-help/#findComment-943714 Share on other sites More sharing options...
samoi Posted October 25, 2009 Author Share Posted October 25, 2009 Look at this ! This worked out in everything probably! but not with double and single quotes ! Hello "world"! OR Hello 'World'! Would be \"World\" OR \'World\' When displaying it! Help please <? error_reporting(E_ALL & E_NOTICE); $con = mysql_connect("localhost", "root", "root"); $db = mysql_select_db("posting"); if(isset($_POST['submit'], $_POST['post'])){ $post = $_POST['post']; if(empty($post)){ echo 'It\'s empty!'; die(); }else{ $cleaned = strip_tags($post); $cleaned = htmlspecialchars(mysql_real_escape_string($cleaned)); $cleaned = str_replace("%20", "", $cleaned); $SQL = mysql_query("INSERT INTO post(post)VALUES('".$cleaned."')"); if($SQL){ echo 'INSERTED'; } else{ echo 'Not!'; } } }else{ ?> <form action="" method="post"> <textarea name="post"></textarea><br /> <input type="submit" name="submit" value="submit" /> </form> <? $MSQL = mysql_query("SELECT * FROM post order by id DESC limit 1"); echo ''; while($row = mysql_fetch_row($MSQL)){ $r = nl2br($row[1]); // $rep = preg_replace('/\\"/', '"', $r); // this did not work! echo $r. "<br />"; // Hello \"World\"! <- this is the output looking even in the db !! } } ?> Help please! Link to comment https://forums.phpfreaks.com/topic/178876-input-security-please-help/#findComment-943739 Share on other sites More sharing options...
cags Posted October 25, 2009 Share Posted October 25, 2009 So you are saying that when you retrieve information from the database you have slashes infront of characters such as quotes? Well in that get magic_quotes must be enabled on your server. This means that your characters will be double escaped. To fix it either disable the magic_quotes or call stripslashes on the output before echo'ing it out. Link to comment https://forums.phpfreaks.com/topic/178876-input-security-please-help/#findComment-944000 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.