pascal_22 Posted October 1, 2013 Share Posted October 1, 2013 (edited) Hello to all!!! I'm trying to strip_tags from a string: i thought that strip_tags delete the tags... If i check in my database after inserting an <a href>.... and the result is:<a href="www.google.ce">google</a> is that normal? i thought that it should delete all tags...? no? thanks! Edited October 1, 2013 by pascal_22 Quote Link to comment https://forums.phpfreaks.com/topic/282608-strip_tags-problem/ Share on other sites More sharing options...
AbraCadaver Posted October 1, 2013 Share Posted October 1, 2013 Those aren't tags. You ran htmlentities() on it before hand, thereby converting the < > etc. into entities such as < > which do not make tags. Quote Link to comment https://forums.phpfreaks.com/topic/282608-strip_tags-problem/#findComment-1452058 Share on other sites More sharing options...
pascal_22 Posted October 1, 2013 Author Share Posted October 1, 2013 Thanks for your reply! Sorry i dont understand. You mean that <a href...> is not a tag? If i delete my strip_tags... all <div>,<b><u><i><font> are correctly added in my db fields.... but if i insert a <a href>.....it replace < by < and > by $gt;... why? thanks Quote Link to comment https://forums.phpfreaks.com/topic/282608-strip_tags-problem/#findComment-1452074 Share on other sites More sharing options...
pascal_22 Posted October 1, 2013 Author Share Posted October 1, 2013 also... i didn't use htmlentities() function Quote Link to comment https://forums.phpfreaks.com/topic/282608-strip_tags-problem/#findComment-1452075 Share on other sites More sharing options...
Ch0cu3r Posted October 1, 2013 Share Posted October 1, 2013 (edited) Well somewhere you're either calling htmlentities(), htmlspecialchars() or another function somewhere is converting the < and > to < and >. strip_tags() will do as it says it do, remove (raw) html markup. If your html markup is <a href="www.google.ce">google</a> then that is not raw html, but html converted to its entities. Does the following $text = '<p><b>Hello</b> <a href="www.google.ce">google</a> World<p>'; echo strip_tags($text); produce the same result? Edited October 1, 2013 by Ch0cu3r Quote Link to comment https://forums.phpfreaks.com/topic/282608-strip_tags-problem/#findComment-1452077 Share on other sites More sharing options...
AbraCadaver Posted October 1, 2013 Share Posted October 1, 2013 also... i didn't use htmlentities() function Post the code from where the variable exists unmodified up to where it is inserted in the db. Quote Link to comment https://forums.phpfreaks.com/topic/282608-strip_tags-problem/#findComment-1452080 Share on other sites More sharing options...
pascal_22 Posted October 1, 2013 Author Share Posted October 1, 2013 Ok i find something... but didn't help me...... You code $text = '<p><b>Hello</b> <a href="www.google.ce">google</a> World<p>';echo strip_tags($text); works correctly.. Also if i add <a href="www.google.ce">google</a> in a NORMAL textbox or textarea.... it works... I have i text field with NiceEditor... that let user format the text... it's in that one that the link a href are transformed..... but in other normal textarea and input type=text... all is good!!! So i dont know why niceEdotor.. change it...... any idea? thanks a lot! Quote Link to comment https://forums.phpfreaks.com/topic/282608-strip_tags-problem/#findComment-1452082 Share on other sites More sharing options...
AbraCadaver Posted October 1, 2013 Share Posted October 1, 2013 Ok i find something... but didn't help me...... You code works correctly.. Also if i add <a href="www.google.ce">google</a> in a NORMAL textbox or textarea.... it works... I have i text field with NiceEditor... that let user format the text... it's in that one that the link a href are transformed..... but in other normal textarea and input type=text... all is good!!! So i dont know why niceEdotor.. change it...... any idea? thanks a lot! Just out of curiosity, why do you provide an editor to let the user format text as HTML if you are just going to strip out the tags afterwards? Quote Link to comment https://forums.phpfreaks.com/topic/282608-strip_tags-problem/#findComment-1452083 Share on other sites More sharing options...
pascal_22 Posted October 1, 2013 Author Share Posted October 1, 2013 i know it should sounds strange... but i want only accept underline,bold,italic,fontcolor.... only that!!! And it's nice for the user to see what they format!!! only for that thanks for your help to all! PAscal Quote Link to comment https://forums.phpfreaks.com/topic/282608-strip_tags-problem/#findComment-1452084 Share on other sites More sharing options...
pascal_22 Posted October 1, 2013 Author Share Posted October 1, 2013 also to delete any script.... that a user can insert.... but i think... strip_tags doesn't do that! it doesnt? Quote Link to comment https://forums.phpfreaks.com/topic/282608-strip_tags-problem/#findComment-1452086 Share on other sites More sharing options...
Solution AbraCadaver Posted October 1, 2013 Solution Share Posted October 1, 2013 i know it should sounds strange... but i want only accept underline,bold,italic,fontcolor.... only that!!! And it's nice for the user to see what they format!!! only for that thanks for your help to all! PAscal You can try: $text = html_entity_decode($text); $text = strip_tags($text, '<b><i><font>'); Quote Link to comment https://forums.phpfreaks.com/topic/282608-strip_tags-problem/#findComment-1452087 Share on other sites More sharing options...
AbraCadaver Posted October 1, 2013 Share Posted October 1, 2013 also to delete any script.... that a user can insert.... but i think... strip_tags doesn't do that! it doesnt? Yes, if it is in <script> tags. Quote Link to comment https://forums.phpfreaks.com/topic/282608-strip_tags-problem/#findComment-1452088 Share on other sites More sharing options...
pascal_22 Posted October 1, 2013 Author Share Posted October 1, 2013 Hey Thanks a LOT!!! It works with html_entity_decode($text); And yes the script tag is deleted After doing: strip_tags,mysqli_real_escape_string.... am i still open to hacker? I mean should i delete other things? And what happen for <?php .... ?> if inserted in text? thanks a lot! Quote Link to comment https://forums.phpfreaks.com/topic/282608-strip_tags-problem/#findComment-1452092 Share on other sites More sharing options...
Ch0cu3r Posted October 1, 2013 Share Posted October 1, 2013 (edited) And what happen for <?php .... ?> if inserted in text? Nothing, as PHP code is not executed within strings. Unless you use eval() echo '<?php echo "danger"; ?>'; Will output <?php echo 'danger'; ?> and the web browser will interpret it as as XML code thought. Edited October 1, 2013 by Ch0cu3r Quote Link to comment https://forums.phpfreaks.com/topic/282608-strip_tags-problem/#findComment-1452093 Share on other sites More sharing options...
AbraCadaver Posted October 1, 2013 Share Posted October 1, 2013 Hey Thanks a LOT!!! It works with html_entity_decode($text); And yes the script tag is deleted After doing: strip_tags,mysqli_real_escape_string.... am i still open to hacker? I mean should i delete other things? And what happen for <?php .... ?> if inserted in text? thanks a lot! Also, strip_tags() strips the php tags. You should be fine since you are using mysqli_real_escape_string() Quote Link to comment https://forums.phpfreaks.com/topic/282608-strip_tags-problem/#findComment-1452094 Share on other sites More sharing options...
pascal_22 Posted October 1, 2013 Author Share Posted October 1, 2013 ok thanks a lot !!! I really appreciate for all you help!!!! Have a good night!!! Pascal Quote Link to comment https://forums.phpfreaks.com/topic/282608-strip_tags-problem/#findComment-1452095 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.