Jump to content

$theSubject = mysql_real_escape_string(htmlspecialchars($_POST['subject']....


Recommended Posts

mysql_real_escape_string adds slashes to text in order to escape characters that would be harmful to use in a database query.

 

EDIT: if you're still seeing slashes after retrieving your data from the db, it means you have magic quotes turned on.  You'll need to run all of the data you want to save to the db through stripslashes before running it through mysql_real_escape_string.  The escape function's slashes essentially disappear after the data is inserted.

If magic quotes turned on , do i need mysql escape string?

 

Yes.  Again, run all your input through strip slashes, then mysql_real_escape_string.  The slashes added by magic quotes don't escape all possible dangerous characters.

 

Make a generalized data cleaning function like:

 

   function clean($value)
   {
      if (is_array($value))
      {
         foreach($value as $k => $v)
         {
            $value[$k] = clean($v);
         }
      }
      else
      {
         if(get_magic_quotes_gpc() == 1) //if magic quotes is turned on
         {
            $value = stripslashes($value); // strip the automatically-given slashes
         }

         $value = trim(htmlentities($value, ENT_QUOTES, "utf-8")); //convert input into friendly characters to stop XSS
         $value = mysql_real_escape_string($value); // escape the data properly
      }
   
      return $value;
   }

 

Then you can use it like so:

 

// regex validation to ensure input is of the right form goes here

$username = clean($_POST['username']);

sure thing

 

 


<?php 
  
class BBCode { 
     protected $bbcodes; // Store array of BBCodes 
     protected $vbbcodes; // Store array of Variable BBCodes 
     var $debug = ''; // Store any errors 
     var $selection = ''; // Store the selection to be parsed first 
     var $parsed = ''; // Store the parsed selection. 
     var $path2emoticon = 'http://www.runningprofiles.com/emoticons/'; // Set the path to the emoticon images. 
     var $imgext = '.gif'; // Set this to the ext of the images 
     public $emoticons =  
          array( '' => 'Roll Eyes', '' => 'Smiley', '' => 'Wink', '' => 'Cheesy', '' => 'Grin', '' => 'Angry', 
          '' => 'Sad', '' => 'Shocked', '' => 'Cool', '???' => 'Huh', '' => 'Tongue', ':-[' => 'Embarrassed',  
          ':-X' => 'Lips Sealed', ':-\\' => 'Undecided', '' => 'Kiss', ':*(' => 'Cry' );  
          // All emoticons. Spaces and caps will be removed for image names. 
      
     function parseCode($security=0) { // Security defaults to 0. Set to 1 for non-variable bbcodes only. 
          if(!$this->selection) { // Check if the user has set the selection. 
               $this->debug .= "You must set a value for the selection before parsing! "; // Set the Debug variable if not. 
          }else{ 
               if($this->parsed) { // Check if text has already been parsed. 
                    $this->debug .= "You must run the code parser before the emoticon parser! "; // Set the Debug variable if so. 
               }else{ 
                    $selection = str_replace("\n", '', $this->selection); // Set selection variable for inside function only. 
                    $selection2 = htmlentities(str_replace("\n", '', $this->selection)); // Remove html entities for security. 
                    $this->selectCodes($security); // Select codes depending on security. 
                    #### Start [code] Section ### 
                    preg_match_all("/\[code\].+\[\/code\]/Ui", $selection2, $matches); // Check for [code] tags. Set the matches array. 
                    $i = 0; // Set the variable to the default of 0. 
                    while(isset($matches[0][$i])) { // Check for match from preg_match. 
                         $selection = str_ireplace(html_entity_decode($matches[0][$i]), "[code$i]", $selection); // Decode and replace for strip tags. 
                         $i++; // Add one to the variable to loop. 
                    } 
                    $selection = strip_tags($selection); // Strip tags from the selection. 
                    while($i>0) { // Reloop through matches. 
                         $i--; // Remove one from the variable to loop. 
                         $m = html_entity_decode($matches[0][$i]); // Decode the match for accurate removal. 
                         $m = str_ireplace("[code]", "", $m); // Remove [code] tag. 
                         $m = str_ireplace("

", "", $m); // Remove [/code] tag.

                        $m = highlight_string($m,true); // Highlight string and encode.

                        $selection = str_ireplace("

[code$i]", "
" . $m . "

", $selection); // Add highlighted code back with tags for later parsing.

                    }

                    #### End

 Section #### 
                    ### Start BBCode Section ### 
                    foreach ($this->bbcodes as $key => $value) { // Loop through bbcodes. 
                         $selection = str_ireplace($key, $value, $selection); // Replace the $key value(bbcode) with the $value value(html code). 
                    } 
                    #### End BBCode Section ### 
                    ### Start Var. BBCode Sec. ## 
                    if($security==0) { // Only loop through if security allows it. 
                         foreach ($this->vbbcodes as $key => $value) { // Loop through variable bbcodes. 
                              unset($matches); // Unset matches set in earlier code. 
                              $i = 0; // Set the variable to the default of 0. 
                              preg_match_all($key, $selection, $matches); // Find all instances of the variable bbcode set them to matches. 
                              // Preg Matching also stores the "variables" inside the matches var. with the matches. 
                              while(isset($matches[0][$i])) { // Check if there are any instances. 
                                   $v = str_replace("*", $matches[1][$i], $value); // Replace the asterisk with the variable value. 
                                   if(isset($matches[2][$i])) { // Check for more than one variable. 
                                        $v = str_replace("~", $matches[2][$i], $v); // Replace the ~ with the second variable value. 
                                   } 
                                   $selection = str_replace($matches[0][$i], $v, $selection); // Replace the match with the accumulated variable. 
                                   $i++; // Add one to the variable to loop. 
                              } 
                         } 
                    } 
                    ### End Var. BBCode Sec. ## 
                    $this->parsed = $selection; // Insert the accumulated parsed selection into the parsed variable as to keep selection original. 
                    unset($selection); // Remove all value from private variable selection. 
               } 
          } 
     } 
      
      protected function selectCodes($security=0) { // Security defaults to 0. Set to 1 for non-variable bbcodes only. 
      switch ($security) { // Switch between 0 and 1. 
         default: // In the case of security being anything but one. Defaulting to zero. 
         case 0: // In the case of security being zero. 
            $this->bbcodes = 
               array( "[i]" => "<i>", "[/i]" => "</i>",  "[b]" => "<b>", "[/b]" => "</b>", "[u]" => "<u>", "[/u]" => "</u>", "[s]" => "<del>", "[/s]" => "</del>", "[move]" => "<marquee>", "[/move]" => "</marquee>", 
               "
[center]" => "<center>", "[/center]
" => "</center>", "[hr]" => "<hr />", "[table][tr][td]" => "<table>", "" => "</table>", "[table][tr][td]" => "<tr>", "[/td][/tr][/table]" => "</tr>", "[table][tr][td]" => "<td>", 
               "[/td][/tr][/table]" => "</td>", "[sub]" => "<sub>", "[/sub]" => "</sub>", "[sup]" => "<sup>", "[/sup]" => "</sup>", "[tt]" => "<tt>", "[/tt]" => "</tt>", "[list]" => "<ul>", "[/list]" => "</ul>", "[list][*]" => "<li>", 
               "[/list]" => "</li>", "[/size]" => "</font>", "[/face]" => "</font>", "[/color]" => "</font>", "[p]" => "<p>", "[/p]" => "</p>", 
               "[/td][/tr][/table][code]" => "<p style=\"background: #BBBBBB; border: 1px solid #555555; padding: 6px;\"><span style=\"font: bold 10px Courier New;\">   CODE :</span><br/>",); 
            // BBCode array including their replacement. 
            $this->vbbcodes =  
               array( "/\[size=(.+)\]/Ui" => "<font size=\"*\">", "/\[face=(.+)\]/U" => "<font face=\"*\">", "/\[color=(.+)\]/Ui" => "<font color=\"*\">", "/\[img\](.+)\[\/img\]/Ui" => "<img src=\"*\"  alt=\"img\"/>", 
               "/\[email\](.+)\[\/email\]/Ui" => "<a href=\"mailto:*\">*</a>", "/\[url\](.+)\[\/url\]/Ui" => "<a href=\"http://*\"> * </a>", "/\[email=(.+)\](.+)\[\/email\]/Ui" => "<a href=\"mailto:*\"> ~ </a>", 
               "/\[url=(.+)\](.+)\[\/url\]/Ui" => "<a href=\"*\">~</a>", "/\[quote](.+)\[\/quote\]/is" => "    
                           <div class=\"quote_header\">Quote:</div><div class=\"quote_body\">*</div>", "/\[quote=(.*)\](.*)\[\/quote\]/is" => 
"<div><table style=\"BORDER-RIGHT: black 1px solid; BORDER-TOP: black 1px solid; BORDER-LEFT: black 1px solid; WIDTH: 100%; BORDER-BOTTOM: black 1px solid; BORDER-COLLAPSE: collapse\"><tbody><tr><td style=\"BORDER-RIGHT: black 1px solid; BORDER-TOP: black 1px solid; PADDING-LEFT: 3px; BACKGROUND: #99b3b4; BORDER-LEFT: black 1px solid; BORDER-BOTTOM: black 1px solid\">Quote by <a href=\"*\">*</a></td>        </tr>
<tr><td style=\"BORDER-RIGHT: black 1px dotted; BORDER-TOP: black 1px dotted; PADDING-LEFT: 4px; BORDER-LEFT: black 1px dotted; BORDER-BOTTOM: black 1px dotted\">~ </td></tr></tbody></table></div>" );                     
                     

            // Variable BBCode array including their replacement and variable position(s). 
            break; 
         case 1: // In the case of security being one. 
            $this->bbcodes = 
               array( "[i]" => "<i>", "[/i]" => "</i>", "[b]" => "<b>", "[/b]" => "</b>", "[u]" => "<u>", "[/u]" => "</u>", "[s]" => "<del>", "[/s]" => "</del>", "[move]" => "<marquee>", "[/move]" => "</marquee>", 
               "
[center]" => "<center>", "[/center]
" => "</center>", "[hr]" => "<hr />", "[table][tr][td]" => "<table>", "" => "</table>", "[table][tr][td]" => "<tr>", "[/td][/tr][/table]" => "</tr>", "[table][tr][td]" => "<td>", 
               "[/td][/tr][/table]" => "</td>", "[sub]" => "<sub>", "[/sub]" => "</sub>", "[sup]" => "<sup>", "[/sup]" => "</sup>", "[tt]" => "<tt>", "[/tt]" => "</tt>", "[list]" => "<ul>", "[/list]" => "</ul>", "[list][*]" => "<li>", 
               "[/list]" => "</li>", "[/td][/tr][/table][code]" => "<p style=\"background: #BBBBBB; border: 1px solid #555555; padding: 6px;\"><span style=\"font: bold 10px Courier New;\">   CODE :</span><br/>", 
               "

" => "</p>" ,"

" => "<p style=\"background: #BBBBBB; border: 1px solid #555555; padding: 6px;\"><span style=\"font: bold 10px Courier New;\">   CODE :</span><br/>", "

" => "</p>");

            // BBCode array including their replacement.

            break; 

          }

    }

    function parseEmoticons($noBBCode=0) { // noBBCode variable defaults to 0. If set to one the parser will not parse be able to parse BBCode.

if(!$this->selection) { // Check if the user has set the selection.

$this->debug .= "You must set a value for the selection before parsing! "; // Set the Debug variable if not.

}else{

$error = 0; // Default to no errors.

if($this->parsed) { // If something has already been parsed.

$selection = str_replace("\n", '', $this->parsed); // Set the parsed value in order to not reset the already parsed selection.

}elseif($noBBCode==1) { // If nothing has been parsed and the noBBCode variable has been set to one.

$selection = str_replace("\n", '', $this->selection); // Set the selection value to variable selection.

$error = 2; // Set the error variable to 2 so that it will not look for

 tags.
}else{ // If all else fails.
$this->debug .= "You must parse BBCode first or set the noBBCode variable to 1(setting this variable will not allow bbcode to be parsed)! "; // Set the Debug variable if it gets here.
$error = 1; // Set the error variable so the parser doesn't run.
}
if($error==0 or $error==2) {
if($error==0) { // Only search if there has been parsing.
unset($matches);
preg_match_all('/\<p style="background: #BBBBBB; border: 1px solid #555555; padding: 6px;"\>.+\<\/p\>/Uim', $selection, $matches); // Finds all code selections.
$i = 0; // Set the variable to the default of 0.
while(isset($matches[0][$i])) { // Check for match from preg_match.
$selection = str_ireplace($matches[0][$i], "[code$i]", $selection); // Replace for non-emoticon section.
$i++; // Add one to the variable to loop.
}
}
foreach($this->emoticons as $key => $value) { // For each emoticon set the key and value.
$v = str_replace(" ", "", $value); // Remove all spaces from value but not replacing the value variable.
$v = "<img src=\"" . $this->path2emoticon . strtolower($v) . $this->imgext . "\" alt=\"$value\" />"; // Set the image replacement up.
$selection = str_ireplace($key, $v, $selection); // Replace the key with the set up image replacement.
}
if($error==0) { // Only search if there has been parsing.
while($i>0) { // Reloop through matches.
$i--; // Remove one from the variable to loop.
$selection = str_ireplace("[code$i]", $matches[0][$i], $selection); // Add the codes back for final display.
}
}
$this->parsed = $selection; // Insert the accumulated parsed selection into the parsed variable as to keep selection original.
unset($selection); // Remove all value from private variable selection.
}
}
}
}
?>

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.