Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

strip everything but not spaces and line breaks

Posted on 2014-09-30
9
Medium Priority
?
102 Views
Last Modified: 2015-01-02
Hi experts,

I found in my site the following function:

	function checkValues($value)
	{
		 // Use this function on all those values where you want to check for both sql injection and cross site scripting
		 //Trim the value
		 $value = trim($value);
		 
		// Stripslashes
		if (get_magic_quotes_gpc()) {
			$value = stripslashes($value);
		}
		
		 // Convert all <, > etc. to normal html and then strip these
		 $value = strtr($value,array_flip(get_html_translation_table(HTML_ENTITIES)));
		
		 // Strip HTML Tags
		 $value = strip_tags($value);
		
		// Quote the value
		$value = mysql_real_escape_string($value);
		$value = htmlspecialchars ($value);
		return $value;
		
	}

Open in new window


Which work fine but the problem is this function clean my variable more as I wish. Lets say I have an example variable with the following content:

"This is a test

Here is the second line."

than the output after I use this function is:
"This is a test Here is the second line"

I would like to convert this function to spaces and <br> keep working. I tried already some things and removed also some stuff but I dont get it work. I can also kick out the entire function and replace with something else. What i need is basically only that the user form transmitted text dont save some html. php etc. command but only the text plus spaces and linebreaks.

Thank you in advance for your help.
0
Comment
Question by:Oliver2000
  • 3
  • 2
  • 2
7 Comments
 
LVL 111

Expert Comment

by:Ray Paseur
ID: 40352266
PHP has the nl2br() function to help with things like this.  Usually the data comes in via a form with a textarea.  I'll show you an example in a moment.

The code sample looks very, very old - to the point that I would call it obsolete.  If you're new to PHP and want to get a good start, this article can help you get a good foundation, and more importantly can help you avoid the many out of date and poor examples of PHP code that litter the internet.
http://www.experts-exchange.com/Web_Development/Web_Languages-Standards/PHP/A_11769-And-by-the-way-I-am-new-to-PHP.html
0
 
LVL 36

Expert Comment

by:gr8gonzo
ID: 40352267
I would suggest using Simple HTML DOM and outputting the plaintext version of the contents. That should do what you want. Can you show an example of the original data?
0
 
LVL 36

Expert Comment

by:gr8gonzo
ID: 40352274
The Simple HTML DOM method:

1. Download it from:
http://simplehtmldom.sourceforge.net/

2. Unzip the simple_html_dom.php file (that's the only one you need) into the same folder with your script.

3. Add this code into the place where you want to strip the tags and keep the spacing:
require_once("simple_html_dom.php");
$value = str_get_html($value)->plaintext;
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
LVL 111

Expert Comment

by:Ray Paseur
ID: 40352298
Here's the theory, implemented in a simple code snippet. Note the @ in line 25.  In real life you would not need that.  I only put it into the script to suppress the warning that arises from the (incorrect) assumption that I actually have a MySQL database connection.
http://iconoun.com/demo/temp_oliver2000.php

<?php // demo/temp_oliver2000.php
error_reporting(E_ALL);

// SEE http://www.experts-exchange.com/Programming/Languages/Scripting/PHP/Q_28528286.html

/**
 * Theory:
 * We want to trim and store everything that the client put into the textarea, with as little change as possible.
 * We want to display the content in a way that prevents malicious JavaScript or HTML from affecting the client browser.
 * Code assumes that there is a MySQL data base connection.
 *
 * Background reading:
 * Magic Quotes: http://www.experts-exchange.com/Web_Development/Web_Languages-Standards/PHP/A_6630-Magic-Quotes-a-bad-idea-from-day-one.html
 * MySQL: http://www.experts-exchange.com/Web_Development/Web_Languages-Standards/PHP/PHP_Databases/A_11177-PHP-MySQL-Deprecated-as-of-PHP-5-5-0.html
 */

// SCRIPT INITIALIZATION
$br_textarea = NULL;

// ACQUIRE THE EXTERNAL INPUT DATA
$textarea    = !empty($_POST['t'])? trim($_POST['t']) : NULL;
if ($textarea)
{
    // THIS IS WHAT WE CAN STORE IN THE DATABASE
    $db_textarea = @mysql_real_escape_string($textarea);

    // THIS IS WHAT WE CAN WRITE TO THE BROWSER
    $br_textarea = htmlentities($textarea);
}

// THE FORM TO RECEIVE THE CLIENT INPUT
$form = <<<EOF
<form method="post">
<textarea name="t">$br_textarea</textarea>
<input type="submit" />
</form>
EOF;
echo $form;

// SHOW THE CLIENT INPUT WITH LINE BREAKS PRESERVED
echo nl2br($br_textarea);

Open in new window

0
 
LVL 53

Accepted Solution

by:
COBOLdinosaur earned 2000 total points
ID: 40352554
If you want to preserve the <br /> tags you an change it keep them with:

$value = strip_tags($value, '<br />');

Cd&
0
 
LVL 111

Expert Comment

by:Ray Paseur
ID: 40352933
@CD&: I have not revisited this since I posted it a few years ago.  It might be worth re-testing.
http://php.net/manual/en/function.strip-tags.php#88991

Edited: Retesting we get this on PHP 5.4+
http://iconoun.com/demo/strip_tags.php

<?php // demo/strip_tags.php
error_reporting(E_ALL);
echo '<pre>';

$data = '<br>Each<br/>New<br />Line';

echo PHP_EOL . "Strip_Tags() APPLIED TO THIS STRING: " . htmlentities($data);
echo PHP_EOL;

$tag = '<br>';
$new  = strip_tags($data, $tag);
echo PHP_EOL . "USING TAG: " . htmlentities($tag) . " WE GET: " . htmlentities($new);

$tag = '<br/>';
$new  = strip_tags($data, $tag);
echo PHP_EOL . "USING TAG: " . htmlentities($tag) . " WE GET: " . htmlentities($new);

$tag = '<br />';
$new  = strip_tags($data, $tag);
echo PHP_EOL . "USING TAG: " . htmlentities($tag) . " WE GET: " . htmlentities($new);

Open in new window

Best to all, ~Ray
0
 
LVL 53

Expert Comment

by:COBOLdinosaur
ID: 40352986
Okay so: $value = strip_tags($value, '<br>');

Cd&
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Without even knowing it, most of us are using web applications on a daily basis.  In fact, Gmail and Yahoo email, Twitter, Facebook, and eBay are used by most of us daily—and they are web applications. We generally confuse these web applications to…
No other job is as rewarding and demanding as building an iPhone app is. It is not really in the hands of the developer for the success of an iPhone app. Many factors operate jointly for every iOS application's success in the market.
Learn how to create flexible layouts using relative units in CSS.  New relative units added in CSS3 include vw(viewports width), vh(viewports height), vmin(minimum of viewports height and width), and vmax (maximum of viewports height and width).
Starting up a Project
Suggested Courses

575 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question