strip everything but not spaces and line breaks

Hi experts,

I found in my site the following function:

	function checkValues($value)
	{
		 // Use this function on all those values where you want to check for both sql injection and cross site scripting
		 //Trim the value
		 $value = trim($value);
		 
		// Stripslashes
		if (get_magic_quotes_gpc()) {
			$value = stripslashes($value);
		}
		
		 // Convert all <, > etc. to normal html and then strip these
		 $value = strtr($value,array_flip(get_html_translation_table(HTML_ENTITIES)));
		
		 // Strip HTML Tags
		 $value = strip_tags($value);
		
		// Quote the value
		$value = mysql_real_escape_string($value);
		$value = htmlspecialchars ($value);
		return $value;
		
	}

Open in new window


Which work fine but the problem is this function clean my variable more as I wish. Lets say I have an example variable with the following content:

"This is a test

Here is the second line."

than the output after I use this function is:
"This is a test Here is the second line"

I would like to convert this function to spaces and <br> keep working. I tried already some things and removed also some stuff but I dont get it work. I can also kick out the entire function and replace with something else. What i need is basically only that the user form transmitted text dont save some html. php etc. command but only the text plus spaces and linebreaks.

Thank you in advance for your help.
Oliver2000Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Ray PaseurCommented:
PHP has the nl2br() function to help with things like this.  Usually the data comes in via a form with a textarea.  I'll show you an example in a moment.

The code sample looks very, very old - to the point that I would call it obsolete.  If you're new to PHP and want to get a good start, this article can help you get a good foundation, and more importantly can help you avoid the many out of date and poor examples of PHP code that litter the internet.
http://www.experts-exchange.com/Web_Development/Web_Languages-Standards/PHP/A_11769-And-by-the-way-I-am-new-to-PHP.html
0
gr8gonzoConsultantCommented:
I would suggest using Simple HTML DOM and outputting the plaintext version of the contents. That should do what you want. Can you show an example of the original data?
0
gr8gonzoConsultantCommented:
The Simple HTML DOM method:

1. Download it from:
http://simplehtmldom.sourceforge.net/

2. Unzip the simple_html_dom.php file (that's the only one you need) into the same folder with your script.

3. Add this code into the place where you want to strip the tags and keep the spacing:
require_once("simple_html_dom.php");
$value = str_get_html($value)->plaintext;
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

Ray PaseurCommented:
Here's the theory, implemented in a simple code snippet. Note the @ in line 25.  In real life you would not need that.  I only put it into the script to suppress the warning that arises from the (incorrect) assumption that I actually have a MySQL database connection.
http://iconoun.com/demo/temp_oliver2000.php

<?php // demo/temp_oliver2000.php
error_reporting(E_ALL);

// SEE http://www.experts-exchange.com/Programming/Languages/Scripting/PHP/Q_28528286.html

/**
 * Theory:
 * We want to trim and store everything that the client put into the textarea, with as little change as possible.
 * We want to display the content in a way that prevents malicious JavaScript or HTML from affecting the client browser.
 * Code assumes that there is a MySQL data base connection.
 *
 * Background reading:
 * Magic Quotes: http://www.experts-exchange.com/Web_Development/Web_Languages-Standards/PHP/A_6630-Magic-Quotes-a-bad-idea-from-day-one.html
 * MySQL: http://www.experts-exchange.com/Web_Development/Web_Languages-Standards/PHP/PHP_Databases/A_11177-PHP-MySQL-Deprecated-as-of-PHP-5-5-0.html
 */

// SCRIPT INITIALIZATION
$br_textarea = NULL;

// ACQUIRE THE EXTERNAL INPUT DATA
$textarea    = !empty($_POST['t'])? trim($_POST['t']) : NULL;
if ($textarea)
{
    // THIS IS WHAT WE CAN STORE IN THE DATABASE
    $db_textarea = @mysql_real_escape_string($textarea);

    // THIS IS WHAT WE CAN WRITE TO THE BROWSER
    $br_textarea = htmlentities($textarea);
}

// THE FORM TO RECEIVE THE CLIENT INPUT
$form = <<<EOF
<form method="post">
<textarea name="t">$br_textarea</textarea>
<input type="submit" />
</form>
EOF;
echo $form;

// SHOW THE CLIENT INPUT WITH LINE BREAKS PRESERVED
echo nl2br($br_textarea);

Open in new window

0
COBOLdinosaurCommented:
If you want to preserve the <br /> tags you an change it keep them with:

$value = strip_tags($value, '<br />');

Cd&
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Ray PaseurCommented:
@CD&: I have not revisited this since I posted it a few years ago.  It might be worth re-testing.
http://php.net/manual/en/function.strip-tags.php#88991

Edited: Retesting we get this on PHP 5.4+
http://iconoun.com/demo/strip_tags.php

<?php // demo/strip_tags.php
error_reporting(E_ALL);
echo '<pre>';

$data = '<br>Each<br/>New<br />Line';

echo PHP_EOL . "Strip_Tags() APPLIED TO THIS STRING: " . htmlentities($data);
echo PHP_EOL;

$tag = '<br>';
$new  = strip_tags($data, $tag);
echo PHP_EOL . "USING TAG: " . htmlentities($tag) . " WE GET: " . htmlentities($new);

$tag = '<br/>';
$new  = strip_tags($data, $tag);
echo PHP_EOL . "USING TAG: " . htmlentities($tag) . " WE GET: " . htmlentities($new);

$tag = '<br />';
$new  = strip_tags($data, $tag);
echo PHP_EOL . "USING TAG: " . htmlentities($tag) . " WE GET: " . htmlentities($new);

Open in new window

Best to all, ~Ray
0
COBOLdinosaurCommented:
Okay so: $value = strip_tags($value, '<br>');

Cd&
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
PHP

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.