strip_tags

[madcrazy]

Hello everyone!  Client API version  5.0.24  php 4.4.7

 

I am trying to make code that will let users upload images and embeded

object tags via a simple web form. I have it working correctly, it does what i want it to:

user uploads say <img src="http://blabla"> from a web form.

it gets dumped into the sql table.

 

this is the "behind the scenes" code that works on the form submission:

 

case "Images": {

## VALIDATE FORM ENTRY:

if (get_magic_quotes_gpc()==0) {

$V1 = filter_str(strip_tags($_POST['V1']),$connector)

$V2 = filter_str(strip_tags($_POST['V2']),$connector);

}

## ADD ENTRY INTO DATABASE:

$query_add="INSERT INTO `tbl_mytable` (`uid` , `name` , `bigimage` )

VALUES ('".$_SESSION['uid']."', '$V1', '$V2')";

$result=mysql_query($query_add);

$_REQUEST['page'] = "Images";

$ErrorMessage = "Image updated successfully";

}break;

 

 

 

then it is retrieved via a webpage with this query:

<?

  ## GET INFORMATION

$RunThisQuery = "SELECT id, bigimage  FROM files WHERE uid=".$_REQUEST['id'];

$results = $connector->query($RunThisQuery);

while ($row = $connector->fetchArray($results)){

  ?>

<a href="<? print $row['bigimage']; ?>"></a>

<? } ?>

 

 

i had to set get_magic_quotes_gpc()==0

in order to upload the tags, otherwise setting to 1 strips them away.

the problems i have with this are:

1.)Any code can be submitted, i am not aware of the kind of code

that could be submitted that could potentially breach security/privacy

or damage my whole website. but just to be sure i would like to

be able to have users upload using this form, but only strip away potentially

dangerous code from getting into the database.

Can someone please help. Thanks

 

[fenway]

There must be some php function that cleans up html -- otherwise, just replace script and iframe blocks and you should be ok.

[madcrazy]

Hi, Sorry i'm lost. you say:

just replace script and iframe blocks and you should be ok.

i dont know how to do it. and i am not sure what this will do. please explain

thank you ~ 

[fenway]

Only script/iframe blocks can be used to access remote sites/scripts -- if you simply replace these tags (e.g. <script with <s2cript ) then the browser will ignore it.  Or you can actually clean it up in your car.

[madcrazy]

Greetings, Im assuming your saying that is someone sends a <script tag

this is really the only thing that could harm my website(besides appearance wise). please correct me if i am wrong.

Also. could this solution be implemented by just adding the script tags like so..

 

 

<?

    ## GET INFORMATION

  $RunThisQuery = "SELECT id, bigimage  FROM files WHERE uid=".$_REQUEST['id'];

  $results = $connector->query($RunThisQuery);

  while ($row = $connector->fetchArray($results)){     

  ?>

<a href="<sc2ript <? print $row['bigimage']; ?>scrip2t>">[/url]

    <? } ?>

 

Is this what you mean?

i had already nested the output in an href , was not sure this would work also.

 

thank you~

 

 

 

 

 

[madcrazy]

If the above is not a solution, i have found this bit of code:

function html2txt($document){

$search = array('@<script[^>]*?>.*?</script>@si',  // Strip out javascript

              '@<style[^>]*?>.*?</style>@siU',    // Strip style tags properly

              '@<![\s\S]*?--[ \t\n\r]*>@'        // Strip multi-line comments including CDATA

);

$text = preg_replace($search, '', $document);

return $text;

}

 

but i dont know how to integrate this code with:

 

if (get_magic_quotes_gpc()==1) {

$V1 = filter_str(strip_tags($_POST['V1']),$connector)

$V2 = filter_str(strip_tags($_POST['V2']),$connector);       

  }

 

At one point I actually took out this whole thing:

if (get_magic_quotes_gpc()==1) {

$V1 = filter_str(strip_tags($_POST['V1']),$connector)

$V2 = filter_str(strip_tags($_POST['V2']),$connector);       

  }

to make the code work, but this just caused everything not to work

so i just changed get_magic_quotes_gpc()==0

it worked but doesnt strip anything

 

[fenway]

I was referring to the replace solution you showed...

[madcrazy]

Can you help me with implementing this please:

function html2txt($document){

$search = array('@<script[^>]*?>.*?</script>@si',  // Strip out javascript

              '@<style[^>]*?>.*?</style>@siU',    // Strip style tags properly

              '@<![\s\S]*?--[ \t\n\r]*>@'        // Strip multi-line comments including CDATA

);

$text = preg_replace($search, '', $document);

return $text;

}

 

 

[fenway]

It's just an array of regexes...

[madcrazy]

ok, but how can i get it to work with my setup? ???

[fenway]

I don't see you using that function, I see you using other functions that I have no idea what they do.

[madcrazy]

1.)all the program does is take a web form entry from a user.

2.)puts that information in an sql table

3.)displays that infomation when print row is called Thats it!

 

i want the form entry data to be monitored and striped if it is potentially harmful.

 

[fenway]

Great... I'll say again, I don't see you using this function -- call it on whatever string content you want converted.

[madcrazy]

Can you give me an example of how to call a row that can take out a <sript

tag?

thank you

[fenway]

Can you give me an example of how to call a row that can take out a <sript

tag?

thank you

 

Wherever you have your input variable, wrap it in the function call -- I can't be more specific.

[madcrazy]

wrap it in the function call, how do i wrap it? ok example please

when you say function call it is very confusing. because when you say function call it sounds like getting data from the table row