Don't allow &nbsp, &copy, &paste, etc. is there a php function?

[shortysbest]

I don't want to allow the user to post these because it appears as a blank space, so I was hoping there was a function to disable all of these, rather than doing them all manually :\

[Alex]

Using htmlentities will solve this problem. Ex:   will be converted to  

[shortysbest]

im using that. I have it so when u send the stAtus message it uses this:

 

$status = htmlentities((get_magic_quotes_gpc())?mysql_real_escape_string(stripslashes($_POST['status'])):mysql_real_escape_string($_POST['status']));

 

then to call it from the database:

$msg = htmlentities(get_magic_quotes_gpc())?nl2br(strip_tags(stripslashes($_POST['status']))):nl2br(strip_tags($_POST['status']));

[Alex]

You shouldn't be performing htmlentities when you're inserting the data into and when displaying it from the database.

 

You also have a problem with this line:

 

$msg = htmlentities(get_magic_quotes_gpc())?nl2br(strip_tags(stripslashes($_POST['status']))):nl2br(strip_tags($_POST['status']));

 

You're messing up the parenthesis. Your conditional is [m]htmlentities(get_magic_quotes_gpc())[tt].

[shortysbest]

neither fixed it :\

[Alex]

Post your code for inserting it into and displaying it from the database.

[shortysbest]

<?php  session_start(); error_reporting(0); include('../../connect.php'); include('../../ajaxvars.php');
$uid = $_SESSION['uid'];
if(isset($_POST['status']))
{

///////////INSERT TO DATABASE//////////////////////////////
$status = htmlentities((get_magic_quotes_gpc())?mysql_real_escape_string(stripslashes($_POST['status'])):mysql_real_escape_string($_POST['status']));
//////////////////////////////////////////////////////

$date = date('Y-m-d h:m:s e');
mysql_query("INSERT INTO status VALUES('','$status','$uid', '$session', '$date')") or die('There was an error connecting to the database at this time.');
$sql_in= mysql_query("SELECT * FROM status ORDER BY id DESC");
$r = mysql_fetch_array($sql_in);
///////////GET FROM DATABASE //////////////////////////////////////////////////
$msg = htmlentities(get_magic_quotes_gpc())?nl2br(strip_tags(stripslashes($_POST['status']))):nl2br(strip_tags($_POST['status']));
////////////////////////////////////////////////////////////////////////
$msg_id = $r['id'];

$from_id = $session;
$query = mysql_query("SELECT * FROM users WHERE id='$from_id'");
$ua = mysql_fetch_assoc($query);
}
?>
<li class="bar<?php echo $msg_id; ?>"><div class="profile-comment-container"><div onClick="<?php print $userlink;?>" class="profile-comment-thumb"><img src="assets/l_6d3ec56cb4bc4edf84b4b12ada71e19e.jpg" width="60" height="60" border="0"></div><div class="profile-comment-message">
<b><a class="user-link" href="index.php?node=profile&user=<?php print $uid;?>"><?php print $ua['fname'].' '.$ua['mname'].' '.$ua['lname'];?></a></b> <?php print $msg;?>
<div class="profile-comment-extras">Comment<div class="profile-comment-date"><?php print date('g:m A \\o\n  l, F j, Y', strtotime($status['date']));?></div></div>
</li>

[Alex]

Why are you reading from the $_POST array when you're getting the data from the database? Shouldn't you be doing something like this?:

 

$msg = nl2br(stripslashes($r['status']));

[shortysbest]

this is an ajax file, i am using post in this file to fade the comment(s) posted without refreshing the page. In the parent page i do get it from the database.

[Alex]

This isn't making much sense.

 

You're trying to fade the comments in and getting the data via AJAX?

 

Your code is getting $msg from whatever you sent to the file via AJAX, that's not getting it from the database at all. You need to explain better because this really isn't making any sense. 

[shortysbest]

in this file, update_status.php, $msg gets its data from the $_POST from the form on the other page. which in my case is profile.php. I use ajax to post the comment with the data that it gets from the form while the user is on the status page, ajax posts to this file i have above.

 

when i say the comments fade in, I don't mean all of them, Just when the user, any user, comments on the profile.. (hits comment button), it fades the new comment in using the Post data, and it sends it to the database as well, but to get the fade in of teh new comment when they post it it uses the post data to display that.

 

i hope i have explained it well enough. :\ but my problem is just the &nbsp etc.

[Alex]

Did you try fixing what I said initially? If that's fixed it should work:

 

$msg = htmlentities(get_magic_quotes_gpc() ? nl2br(strip_tags(stripslashes($_POST['status']))) : nl2br(strip_tags($_POST['status'])));

[shortysbest]

yeah and it doesn't work. :\

[Alex]

Aside from the fact that you should be performing nl2br after htmlentities so you don't remove the html line breaks you just inserted, it does worked as expected, I just tested.

 

$msg = nl2br(htmlentities(get_magic_quotes_gpc() ? strip_tags(stripslashes($_POST['status'])) : strip_tags($_POST['status'])));

 

When you enter   into the form you see   (  in the html) not a space.

[shortysbest]

oh now i see what you meant.. That's not what i meant though. I don't want the user to be able to submit a form if all they have entered is things like &nbsp, &paste, etc.  It's just it posts a blank comment.

[ChemicalBliss]

To make sure there are characters;

if(!preg_match("/[a-z]+/i",$input))){
   exit("Error: Must contain some Text");
}

 

Dirty way to make sure they don't use entity characters:

if(html_entity_decode($input) != $input){
   exit("Error: Cannot contain HTML Entity codes (  etc)");
}

 

Another dirty way to check they don't use HTML tags:

if(strip_tags($input) != $input){
   exit("Error: Cannot contain HTML Tags (<b>, <i> etc)");
}

 

-cb-

[shortysbest]

Thanks a lot, I will test that in a bit