Jump to content

strip_tags

madcrazy

By madcrazy
in PHP Coding Help

 Share

Recommended Posts

madcrazy Newbie

madcrazy

Posted
Posted

Hello everyone!  :o Client API version  5.0.24  php 4.4.7

 

I am trying to make code that will let users upload images and embeded

object tags via a simple web form. I have it working correctly, it does what i want it to:

user uploads say <img src="http://blabla"> from a web form.

it gets dumped into the sql table.

 

this is the "behind the scenes" code that works on the form submission:

 

case "Images": {

## VALIDATE FORM ENTRY:

if (get_magic_quotes_gpc()==0) {

$V1 = filter_str(strip_tags($_POST['V1']),$connector)

$V2 = filter_str(strip_tags($_POST['V2']),$connector);

}

## ADD ENTRY INTO DATABASE:

$query_add="INSERT INTO `tbl_mytable` (`uid` , `name` , `bigimage` )

VALUES ('".$_SESSION['uid']."', '$V1', '$V2')";

$result=mysql_query($query_add);

$_REQUEST['page'] = "Images";

$ErrorMessage = "Image updated successfully";

}break;

 

 

 

then it is retrieved via a webpage with this query:

<?

  ## GET INFORMATION

$RunThisQuery = "SELECT id, bigimage  FROM files WHERE uid=".$_REQUEST['id'];

$results = $connector->query($RunThisQuery);

while ($row = $connector->fetchArray($results)){

  ?>

<a href="<? print $row['bigimage']; ?>"></a>

<? } ?>

 

 

i had to set get_magic_quotes_gpc()==0

in order to upload the tags, otherwise setting to 1 strips them away.

the problems i have with this are:

1.)Any code can be submitted, i am not aware of the kind of code

that could be submitted that could potentially breach security/privacy

or damage my whole website. but just to be sure i would like to

be able to have users upload using this form, but only strip away potentially

dangerous code from getting into the database.

Can someone please help. Thanks

 

Link to comment
Share on other sites
fenway Advanced Member

fenway

Posted
Posted

Only script/iframe blocks can be used to access remote sites/scripts -- if you simply replace these tags (e.g. <script with <s2cript ) then the browser will ignore it.  Or you can actually clean it up in your car.

Link to comment
Share on other sites
madcrazy Newbie

madcrazy

Posted
  • Author
Posted

Greetings, Im assuming your saying that is someone sends a <script tag

this is really the only thing that could harm my website(besides appearance wise). please correct me if i am wrong.

Also. could this solution be implemented by just adding the script tags like so..

 

 

<?

    ## GET INFORMATION

  $RunThisQuery = "SELECT id, bigimage  FROM files WHERE uid=".$_REQUEST['id'];

  $results = $connector->query($RunThisQuery);

  while ($row = $connector->fetchArray($results)){     

  ?>

<a href="<sc2ript <? print $row['bigimage']; ?>scrip2t>">[/url]

    <? } ?>

 

Is this what you mean?

i had already nested the output in an href , was not sure this would work also.

 

thank you~

 

 

 

 

 

Link to comment
Share on other sites
madcrazy Newbie

madcrazy

Posted
  • Author
Posted

If the above is not a solution, i have found this bit of code:

function html2txt($document){

$search = array('@<script[^>]*?>.*?</script>@si',  // Strip out javascript

              '@<style[^>]*?>.*?</style>@siU',    // Strip style tags properly

              '@<![\s\S]*?--[ \t\n\r]*>@'        // Strip multi-line comments including CDATA

);

$text = preg_replace($search, '', $document);

return $text;

}

 

but i dont know how to integrate this code with:

 

if (get_magic_quotes_gpc()==1) {

$V1 = filter_str(strip_tags($_POST['V1']),$connector)

$V2 = filter_str(strip_tags($_POST['V2']),$connector);       

  }

 

At one point I actually took out this whole thing:

if (get_magic_quotes_gpc()==1) {

$V1 = filter_str(strip_tags($_POST['V1']),$connector)

$V2 = filter_str(strip_tags($_POST['V2']),$connector);       

  }

to make the code work, but this just caused everything not to work

so i just changed get_magic_quotes_gpc()==0

it worked but doesnt strip anything

 

Link to comment
Share on other sites
madcrazy Newbie

madcrazy

Posted
  • Author
Posted

Can you help me with implementing this please:

function html2txt($document){

$search = array('@<script[^>]*?>.*?</script>@si',  // Strip out javascript

              '@<style[^>]*?>.*?</style>@siU',    // Strip style tags properly

              '@<![\s\S]*?--[ \t\n\r]*>@'        // Strip multi-line comments including CDATA

);

$text = preg_replace($search, '', $document);

return $text;

}

 

 

Link to comment
Share on other sites
madcrazy Newbie

madcrazy

Posted
  • Author
Posted

1.)all the program does is take a web form entry from a user.

2.)puts that information in an sql table

3.)displays that infomation when print row is called Thats it!

 

i want the form entry data to be monitored and striped if it is potentially harmful.

 

Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.