Link to home
Start Free TrialLog in
Avatar of Oliver2000
Oliver2000Flag for Brazil

asked on

strip everything but not spaces and line breaks

Hi experts,

I found in my site the following function:

	function checkValues($value)
	{
		 // Use this function on all those values where you want to check for both sql injection and cross site scripting
		 //Trim the value
		 $value = trim($value);
		 
		// Stripslashes
		if (get_magic_quotes_gpc()) {
			$value = stripslashes($value);
		}
		
		 // Convert all <, > etc. to normal html and then strip these
		 $value = strtr($value,array_flip(get_html_translation_table(HTML_ENTITIES)));
		
		 // Strip HTML Tags
		 $value = strip_tags($value);
		
		// Quote the value
		$value = mysql_real_escape_string($value);
		$value = htmlspecialchars ($value);
		return $value;
		
	}

Open in new window


Which work fine but the problem is this function clean my variable more as I wish. Lets say I have an example variable with the following content:

"This is a test

Here is the second line."

than the output after I use this function is:
"This is a test Here is the second line"

I would like to convert this function to spaces and <br> keep working. I tried already some things and removed also some stuff but I dont get it work. I can also kick out the entire function and replace with something else. What i need is basically only that the user form transmitted text dont save some html. php etc. command but only the text plus spaces and linebreaks.

Thank you in advance for your help.
Avatar of Ray Paseur
Ray Paseur
Flag of United States of America image

PHP has the nl2br() function to help with things like this.  Usually the data comes in via a form with a textarea.  I'll show you an example in a moment.

The code sample looks very, very old - to the point that I would call it obsolete.  If you're new to PHP and want to get a good start, this article can help you get a good foundation, and more importantly can help you avoid the many out of date and poor examples of PHP code that litter the internet.
https://www.experts-exchange.com/Web_Development/Web_Languages-Standards/PHP/A_11769-And-by-the-way-I-am-new-to-PHP.html
Avatar of gr8gonzo
I would suggest using Simple HTML DOM and outputting the plaintext version of the contents. That should do what you want. Can you show an example of the original data?
The Simple HTML DOM method:

1. Download it from:
http://simplehtmldom.sourceforge.net/

2. Unzip the simple_html_dom.php file (that's the only one you need) into the same folder with your script.

3. Add this code into the place where you want to strip the tags and keep the spacing:
require_once("simple_html_dom.php");
$value = str_get_html($value)->plaintext;
Here's the theory, implemented in a simple code snippet. Note the @ in line 25.  In real life you would not need that.  I only put it into the script to suppress the warning that arises from the (incorrect) assumption that I actually have a MySQL database connection.
http://iconoun.com/demo/temp_oliver2000.php

<?php // demo/temp_oliver2000.php
error_reporting(E_ALL);

// SEE http://www.experts-exchange.com/Programming/Languages/Scripting/PHP/Q_28528286.html

/**
 * Theory:
 * We want to trim and store everything that the client put into the textarea, with as little change as possible.
 * We want to display the content in a way that prevents malicious JavaScript or HTML from affecting the client browser.
 * Code assumes that there is a MySQL data base connection.
 *
 * Background reading:
 * Magic Quotes: http://www.experts-exchange.com/Web_Development/Web_Languages-Standards/PHP/A_6630-Magic-Quotes-a-bad-idea-from-day-one.html
 * MySQL: http://www.experts-exchange.com/Web_Development/Web_Languages-Standards/PHP/PHP_Databases/A_11177-PHP-MySQL-Deprecated-as-of-PHP-5-5-0.html
 */

// SCRIPT INITIALIZATION
$br_textarea = NULL;

// ACQUIRE THE EXTERNAL INPUT DATA
$textarea    = !empty($_POST['t'])? trim($_POST['t']) : NULL;
if ($textarea)
{
    // THIS IS WHAT WE CAN STORE IN THE DATABASE
    $db_textarea = @mysql_real_escape_string($textarea);

    // THIS IS WHAT WE CAN WRITE TO THE BROWSER
    $br_textarea = htmlentities($textarea);
}

// THE FORM TO RECEIVE THE CLIENT INPUT
$form = <<<EOF
<form method="post">
<textarea name="t">$br_textarea</textarea>
<input type="submit" />
</form>
EOF;
echo $form;

// SHOW THE CLIENT INPUT WITH LINE BREAKS PRESERVED
echo nl2br($br_textarea);

Open in new window

ASKER CERTIFIED SOLUTION
Avatar of COBOLdinosaur
COBOLdinosaur
Flag of Canada image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
@CD&: I have not revisited this since I posted it a few years ago.  It might be worth re-testing.
http://php.net/manual/en/function.strip-tags.php#88991

Edited: Retesting we get this on PHP 5.4+
http://iconoun.com/demo/strip_tags.php

<?php // demo/strip_tags.php
error_reporting(E_ALL);
echo '<pre>';

$data = '<br>Each<br/>New<br />Line';

echo PHP_EOL . "Strip_Tags() APPLIED TO THIS STRING: " . htmlentities($data);
echo PHP_EOL;

$tag = '<br>';
$new  = strip_tags($data, $tag);
echo PHP_EOL . "USING TAG: " . htmlentities($tag) . " WE GET: " . htmlentities($new);

$tag = '<br/>';
$new  = strip_tags($data, $tag);
echo PHP_EOL . "USING TAG: " . htmlentities($tag) . " WE GET: " . htmlentities($new);

$tag = '<br />';
$new  = strip_tags($data, $tag);
echo PHP_EOL . "USING TAG: " . htmlentities($tag) . " WE GET: " . htmlentities($new);

Open in new window

Best to all, ~Ray
Okay so: $value = strip_tags($value, '<br>');

Cd&