Solved

strip everything but not spaces and line breaks

Posted on 2014-09-30
9
81 Views
Last Modified: 2015-01-02
Hi experts,

I found in my site the following function:

	function checkValues($value)
	{
		 // Use this function on all those values where you want to check for both sql injection and cross site scripting
		 //Trim the value
		 $value = trim($value);
		 
		// Stripslashes
		if (get_magic_quotes_gpc()) {
			$value = stripslashes($value);
		}
		
		 // Convert all <, > etc. to normal html and then strip these
		 $value = strtr($value,array_flip(get_html_translation_table(HTML_ENTITIES)));
		
		 // Strip HTML Tags
		 $value = strip_tags($value);
		
		// Quote the value
		$value = mysql_real_escape_string($value);
		$value = htmlspecialchars ($value);
		return $value;
		
	}

Open in new window


Which work fine but the problem is this function clean my variable more as I wish. Lets say I have an example variable with the following content:

"This is a test

Here is the second line."

than the output after I use this function is:
"This is a test Here is the second line"

I would like to convert this function to spaces and <br> keep working. I tried already some things and removed also some stuff but I dont get it work. I can also kick out the entire function and replace with something else. What i need is basically only that the user form transmitted text dont save some html. php etc. command but only the text plus spaces and linebreaks.

Thank you in advance for your help.
0
Comment
Question by:Oliver2000
  • 3
  • 2
  • 2
9 Comments
 
LVL 108

Expert Comment

by:Ray Paseur
ID: 40352266
PHP has the nl2br() function to help with things like this.  Usually the data comes in via a form with a textarea.  I'll show you an example in a moment.

The code sample looks very, very old - to the point that I would call it obsolete.  If you're new to PHP and want to get a good start, this article can help you get a good foundation, and more importantly can help you avoid the many out of date and poor examples of PHP code that litter the internet.
http://www.experts-exchange.com/Web_Development/Web_Languages-Standards/PHP/A_11769-And-by-the-way-I-am-new-to-PHP.html
0
 
LVL 34

Expert Comment

by:gr8gonzo
ID: 40352267
I would suggest using Simple HTML DOM and outputting the plaintext version of the contents. That should do what you want. Can you show an example of the original data?
0
 
LVL 34

Expert Comment

by:gr8gonzo
ID: 40352274
The Simple HTML DOM method:

1. Download it from:
http://simplehtmldom.sourceforge.net/

2. Unzip the simple_html_dom.php file (that's the only one you need) into the same folder with your script.

3. Add this code into the place where you want to strip the tags and keep the spacing:
require_once("simple_html_dom.php");
$value = str_get_html($value)->plaintext;
0
Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

 
LVL 108

Expert Comment

by:Ray Paseur
ID: 40352298
Here's the theory, implemented in a simple code snippet. Note the @ in line 25.  In real life you would not need that.  I only put it into the script to suppress the warning that arises from the (incorrect) assumption that I actually have a MySQL database connection.
http://iconoun.com/demo/temp_oliver2000.php

<?php // demo/temp_oliver2000.php
error_reporting(E_ALL);

// SEE http://www.experts-exchange.com/Programming/Languages/Scripting/PHP/Q_28528286.html

/**
 * Theory:
 * We want to trim and store everything that the client put into the textarea, with as little change as possible.
 * We want to display the content in a way that prevents malicious JavaScript or HTML from affecting the client browser.
 * Code assumes that there is a MySQL data base connection.
 *
 * Background reading:
 * Magic Quotes: http://www.experts-exchange.com/Web_Development/Web_Languages-Standards/PHP/A_6630-Magic-Quotes-a-bad-idea-from-day-one.html
 * MySQL: http://www.experts-exchange.com/Web_Development/Web_Languages-Standards/PHP/PHP_Databases/A_11177-PHP-MySQL-Deprecated-as-of-PHP-5-5-0.html
 */

// SCRIPT INITIALIZATION
$br_textarea = NULL;

// ACQUIRE THE EXTERNAL INPUT DATA
$textarea    = !empty($_POST['t'])? trim($_POST['t']) : NULL;
if ($textarea)
{
    // THIS IS WHAT WE CAN STORE IN THE DATABASE
    $db_textarea = @mysql_real_escape_string($textarea);

    // THIS IS WHAT WE CAN WRITE TO THE BROWSER
    $br_textarea = htmlentities($textarea);
}

// THE FORM TO RECEIVE THE CLIENT INPUT
$form = <<<EOF
<form method="post">
<textarea name="t">$br_textarea</textarea>
<input type="submit" />
</form>
EOF;
echo $form;

// SHOW THE CLIENT INPUT WITH LINE BREAKS PRESERVED
echo nl2br($br_textarea);

Open in new window

0
 
LVL 53

Accepted Solution

by:
COBOLdinosaur earned 500 total points
ID: 40352554
If you want to preserve the <br /> tags you an change it keep them with:

$value = strip_tags($value, '<br />');

Cd&
0
 
LVL 108

Expert Comment

by:Ray Paseur
ID: 40352933
@CD&: I have not revisited this since I posted it a few years ago.  It might be worth re-testing.
http://php.net/manual/en/function.strip-tags.php#88991

Edited: Retesting we get this on PHP 5.4+
http://iconoun.com/demo/strip_tags.php

<?php // demo/strip_tags.php
error_reporting(E_ALL);
echo '<pre>';

$data = '<br>Each<br/>New<br />Line';

echo PHP_EOL . "Strip_Tags() APPLIED TO THIS STRING: " . htmlentities($data);
echo PHP_EOL;

$tag = '<br>';
$new  = strip_tags($data, $tag);
echo PHP_EOL . "USING TAG: " . htmlentities($tag) . " WE GET: " . htmlentities($new);

$tag = '<br/>';
$new  = strip_tags($data, $tag);
echo PHP_EOL . "USING TAG: " . htmlentities($tag) . " WE GET: " . htmlentities($new);

$tag = '<br />';
$new  = strip_tags($data, $tag);
echo PHP_EOL . "USING TAG: " . htmlentities($tag) . " WE GET: " . htmlentities($new);

Open in new window

Best to all, ~Ray
0
 
LVL 53

Expert Comment

by:COBOLdinosaur
ID: 40352986
Okay so: $value = strip_tags($value, '<br>');

Cd&
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

Suggested Solutions

Although it can be difficult to imagine, someday your child will have a career of his or her own. He or she will likely start a family, buy a home and start having their own children. So, while being a kid is still extremely important, it’s also …
This article discusses how to create an extensible mechanism for linked drop downs.
An introduction to basic programming syntax in Java by creating a simple program. Viewers can follow the tutorial as they create their first class in Java. Definitions and explanations about each element are given to help prepare viewers for future …
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now