Jump to content

strip_tags problem....

pascal_22

By pascal_22
in PHP Coding Help

 Share
Go to solution Solved by AbraCadaver,

Recommended Posts

pascal_22 Member

pascal_22

Posted
Posted (edited)

Hello to all!!!

 

I'm trying to strip_tags from a string: i thought that strip_tags delete the tags...

 

If i check in my database after inserting an <a href>.... and the result is:<a href="www.google.ce">google</a>

 

is that normal? i thought that it should delete all tags...? no?

 

 

 

thanks!

Edited by pascal_22
Link to comment
Share on other sites
pascal_22 Member

pascal_22

Posted
  • Author
Posted

Thanks for your reply!

 

Sorry i dont understand. You mean that <a href...> is not a tag?

 

If i delete my strip_tags... all <div>,<b><u><i><font> are correctly added in my db fields.... but if i insert a <a href>.....it replace < by and > by $gt;...

 

why?

 

thanks 

Link to comment
Share on other sites
Ch0cu3r Newbie

Ch0cu3r

Posted
Posted (edited)

Well somewhere you're either calling htmlentities(), htmlspecialchars() or another function somewhere is converting the < and > to < and >.

 

strip_tags() will do as it says it do, remove (raw) html markup. If your html markup is <a href="www.google.ce">google</a> then that is not raw html, but html converted to its entities.

 

Does the following

$text = '<p><b>Hello</b> <a href="www.google.ce">google</a> World<p>';
echo strip_tags($text);

produce the same result?

Edited by Ch0cu3r
Link to comment
Share on other sites
pascal_22 Member

pascal_22

Posted
  • Author
Posted

Ok i find something... but didn't help me......

 

 

You code

 

 

$text = '<p><b>Hello</b> <a href="www.google.ce">google</a> World<p>';
echo strip_tags($text);

works correctly..

 

Also if i add <a href="www.google.ce">google</a> in a NORMAL textbox or textarea.... it works...

 

I have i text field with NiceEditor... that let user format the text... it's in that one that the link a href are transformed.....

 

but in other normal textarea and input type=text... all is good!!!

 

So i dont know why niceEdotor.. change it......

 

any idea?

 

thanks a lot!

Link to comment
Share on other sites
AbraCadaver Newbie

AbraCadaver

Posted
Posted

Ok i find something... but didn't help me......

 

 

You code

works correctly..

 

Also if i add <a href="www.google.ce">google</a> in a NORMAL textbox or textarea.... it works...

 

I have i text field with NiceEditor... that let user format the text... it's in that one that the link a href are transformed.....

 

but in other normal textarea and input type=text... all is good!!!

 

So i dont know why niceEdotor.. change it......

 

any idea?

 

thanks a lot!

 

Just out of curiosity, why do you provide an editor to let the user format text as HTML if you are just going to strip out the tags afterwards?

Link to comment
Share on other sites
  • Solution
AbraCadaver Newbie

AbraCadaver

Posted
  • Solution
Posted

i know it should sounds strange... but i want only accept underline,bold,italic,fontcolor.... only that!!! And it's nice for the user to see what they format!!!

only for that ;)

 

thanks for your help to all!

 

PAscal

 

You can try:

$text = html_entity_decode($text);
$text = strip_tags($text, '<b><i><font>');
Link to comment
Share on other sites
pascal_22 Member

pascal_22

Posted
  • Author
Posted

Hey Thanks a LOT!!!

 

It works with html_entity_decode($text);

And yes the script tag is deleted

 

After doing: strip_tags,mysqli_real_escape_string.... am i still open to hacker?

I mean should i delete other things? And what happen for <?php  .... ?> if inserted in text?

 

thanks a lot!

Link to comment
Share on other sites
Ch0cu3r Newbie

Ch0cu3r

Posted
Posted (edited)

 

 

And what happen for <?php  .... ?> if inserted in text?

Nothing, as PHP code is not executed within strings. Unless you use eval()

echo '<?php echo "danger"; ?>';

Will output <?php echo 'danger'; ?> and the web browser will interpret it as as XML code thought.

Edited by Ch0cu3r
Link to comment
Share on other sites
AbraCadaver Newbie

AbraCadaver

Posted
Posted

Hey Thanks a LOT!!!

 

It works with html_entity_decode($text);

And yes the script tag is deleted

 

After doing: strip_tags,mysqli_real_escape_string.... am i still open to hacker?

I mean should i delete other things? And what happen for <?php  .... ?> if inserted in text?

 

thanks a lot!

 

Also, strip_tags() strips the php tags.  You should be fine since you are using mysqli_real_escape_string()

Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.