Solved

strip everything but not spaces and line breaks

Posted on 2014-09-30
9
89 Views
Last Modified: 2015-01-02
Hi experts,

I found in my site the following function:

	function checkValues($value)
	{
		 // Use this function on all those values where you want to check for both sql injection and cross site scripting
		 //Trim the value
		 $value = trim($value);
		 
		// Stripslashes
		if (get_magic_quotes_gpc()) {
			$value = stripslashes($value);
		}
		
		 // Convert all <, > etc. to normal html and then strip these
		 $value = strtr($value,array_flip(get_html_translation_table(HTML_ENTITIES)));
		
		 // Strip HTML Tags
		 $value = strip_tags($value);
		
		// Quote the value
		$value = mysql_real_escape_string($value);
		$value = htmlspecialchars ($value);
		return $value;
		
	}

Open in new window


Which work fine but the problem is this function clean my variable more as I wish. Lets say I have an example variable with the following content:

"This is a test

Here is the second line."

than the output after I use this function is:
"This is a test Here is the second line"

I would like to convert this function to spaces and <br> keep working. I tried already some things and removed also some stuff but I dont get it work. I can also kick out the entire function and replace with something else. What i need is basically only that the user form transmitted text dont save some html. php etc. command but only the text plus spaces and linebreaks.

Thank you in advance for your help.
0
Comment
Question by:Oliver2000
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
9 Comments
 
LVL 110

Expert Comment

by:Ray Paseur
ID: 40352266
PHP has the nl2br() function to help with things like this.  Usually the data comes in via a form with a textarea.  I'll show you an example in a moment.

The code sample looks very, very old - to the point that I would call it obsolete.  If you're new to PHP and want to get a good start, this article can help you get a good foundation, and more importantly can help you avoid the many out of date and poor examples of PHP code that litter the internet.
http://www.experts-exchange.com/Web_Development/Web_Languages-Standards/PHP/A_11769-And-by-the-way-I-am-new-to-PHP.html
0
 
LVL 35

Expert Comment

by:gr8gonzo
ID: 40352267
I would suggest using Simple HTML DOM and outputting the plaintext version of the contents. That should do what you want. Can you show an example of the original data?
0
 
LVL 35

Expert Comment

by:gr8gonzo
ID: 40352274
The Simple HTML DOM method:

1. Download it from:
http://simplehtmldom.sourceforge.net/

2. Unzip the simple_html_dom.php file (that's the only one you need) into the same folder with your script.

3. Add this code into the place where you want to strip the tags and keep the spacing:
require_once("simple_html_dom.php");
$value = str_get_html($value)->plaintext;
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 110

Expert Comment

by:Ray Paseur
ID: 40352298
Here's the theory, implemented in a simple code snippet. Note the @ in line 25.  In real life you would not need that.  I only put it into the script to suppress the warning that arises from the (incorrect) assumption that I actually have a MySQL database connection.
http://iconoun.com/demo/temp_oliver2000.php

<?php // demo/temp_oliver2000.php
error_reporting(E_ALL);

// SEE http://www.experts-exchange.com/Programming/Languages/Scripting/PHP/Q_28528286.html

/**
 * Theory:
 * We want to trim and store everything that the client put into the textarea, with as little change as possible.
 * We want to display the content in a way that prevents malicious JavaScript or HTML from affecting the client browser.
 * Code assumes that there is a MySQL data base connection.
 *
 * Background reading:
 * Magic Quotes: http://www.experts-exchange.com/Web_Development/Web_Languages-Standards/PHP/A_6630-Magic-Quotes-a-bad-idea-from-day-one.html
 * MySQL: http://www.experts-exchange.com/Web_Development/Web_Languages-Standards/PHP/PHP_Databases/A_11177-PHP-MySQL-Deprecated-as-of-PHP-5-5-0.html
 */

// SCRIPT INITIALIZATION
$br_textarea = NULL;

// ACQUIRE THE EXTERNAL INPUT DATA
$textarea    = !empty($_POST['t'])? trim($_POST['t']) : NULL;
if ($textarea)
{
    // THIS IS WHAT WE CAN STORE IN THE DATABASE
    $db_textarea = @mysql_real_escape_string($textarea);

    // THIS IS WHAT WE CAN WRITE TO THE BROWSER
    $br_textarea = htmlentities($textarea);
}

// THE FORM TO RECEIVE THE CLIENT INPUT
$form = <<<EOF
<form method="post">
<textarea name="t">$br_textarea</textarea>
<input type="submit" />
</form>
EOF;
echo $form;

// SHOW THE CLIENT INPUT WITH LINE BREAKS PRESERVED
echo nl2br($br_textarea);

Open in new window

0
 
LVL 53

Accepted Solution

by:
COBOLdinosaur earned 500 total points
ID: 40352554
If you want to preserve the <br /> tags you an change it keep them with:

$value = strip_tags($value, '<br />');

Cd&
0
 
LVL 110

Expert Comment

by:Ray Paseur
ID: 40352933
@CD&: I have not revisited this since I posted it a few years ago.  It might be worth re-testing.
http://php.net/manual/en/function.strip-tags.php#88991

Edited: Retesting we get this on PHP 5.4+
http://iconoun.com/demo/strip_tags.php

<?php // demo/strip_tags.php
error_reporting(E_ALL);
echo '<pre>';

$data = '<br>Each<br/>New<br />Line';

echo PHP_EOL . "Strip_Tags() APPLIED TO THIS STRING: " . htmlentities($data);
echo PHP_EOL;

$tag = '<br>';
$new  = strip_tags($data, $tag);
echo PHP_EOL . "USING TAG: " . htmlentities($tag) . " WE GET: " . htmlentities($new);

$tag = '<br/>';
$new  = strip_tags($data, $tag);
echo PHP_EOL . "USING TAG: " . htmlentities($tag) . " WE GET: " . htmlentities($new);

$tag = '<br />';
$new  = strip_tags($data, $tag);
echo PHP_EOL . "USING TAG: " . htmlentities($tag) . " WE GET: " . htmlentities($new);

Open in new window

Best to all, ~Ray
0
 
LVL 53

Expert Comment

by:COBOLdinosaur
ID: 40352986
Okay so: $value = strip_tags($value, '<br>');

Cd&
0

Featured Post

Announcing the Most Valuable Experts of 2016

MVEs are more concerned with the satisfaction of those they help than with the considerable points they can earn. They are the types of people you feel privileged to call colleagues. Join us in honoring this amazing group of Experts.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

An enjoyable and seamless user experience can go a long way on an eCommerce site. While a cohesive layout and engaging copy play roles in creating a positive user experience, some sites neglect aspects that seem marginal but in actuality prove very …
Developer portfolios can be a bit of an enigma—how do you present yourself to employers without burying them in lines of code?  A modern portfolio is more than just work samples, it’s also a statement of how you work.
Any person in technology especially those working for big companies should at least know about the basics of web accessibility. Believe it or not there are even laws in place that require businesses to provide such means for the disabled and aging p…
The viewer will learn how to create a basic form using some HTML5 and PHP for later processing. Set up your basic HTML file. Open your form tag and set the method and action attributes.: (CODE) Set up your first few inputs one for the name and …

756 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question