PHP - Allowing Some Html In Submitted Content
Hey guys,
OK, so actually I have two questions that are kind of related. The first one is how I can allow users to use <i>, <b>, <strong> tags when submitting information in a form. I would like to allow certain tags so they can emphasize things in their text, but I still want to strip the rest for security reasons. I tried using strip_tags() with some exceptions as a second parameter, but as far as I understand, that just allows them to be displayed as text, not for the browser to make text bold for instance. Below is what I have now. function stripdata($data) { return trim(htmlentities(stripslashes($data), ENT_QUOTES)); } echo stripdata($someDataFromMySQL); I also want to ask if the solution above is 100% safe so that users can not submit malicious code that can execute when users' visit a page of mine that displays that code. Thank you in advance. Similar TutorialsI was wondering if there was a way to allow users to input there own HTML and CSS in like a members only site using PHP? If so, how would it be done? I would like to allow special characters in my script like: ஆஇஊஎஐஓ But I don't want to allow HTML like: <b>bold</b> At first I was using htmlentities() when PRINTING OUT (NOT when or before inserting in the query) . Data shows up in MySQL as ᇋᇄᇝᇠᇤᇢᇦ And it was also printed out that way, I'd like to have it translated into it's actual form (ஆஇஊஎஐஓ), yet I don't want <b>bold</b> to be translated as well, I want it to stay <b>bold</b> Is there any way I can do this? I also tried htmlspecialchars() but that didn't do the trick either. If you need script examples let me know. EDIT: To bring it to the point, I want it to be just like in this forum post. The special chars are showing up, and the html is just being printed as <b></b>. Hi There, Is there any way that when a user submits a form, but places a link inside - for example: It is located at this location: http://mylink.com Is there any way that PHP can pick up the fact that there is a link there and tag it correctly so it is clickable? Cheers Matt Hi, How do I open all HTML file contained in a folder, then search for the title of the page, and save the title in the database? Also, is it possible to do this using functions? Cheers. I've set up a staging server with Ubuntu 14.04, Apache, PHP, and MySQL, and I'm having a configuration issue that I need to resolve.
index.html uses a server side include. I was required to change the shtml file it references to a php file, but it's not working properly.
When my webpage uses the code:
<?php include ("footer.shtml"); ?>
then the page loads correctly
However, when I change it to:
<?php include ("footer.php"); ?>
then I instead see a message stating,
"This attachment was removed because it contains data that could pose a security risk."
I can't determine which configuration file I need to change, and what the change needs to be.
Hey, I've created a messaging system for my site and I'm trying to make it so that a copy of the original message is included and automatically put into the message content box when somebody clicks to reply. I've done this literally just by making the "reply" button into a form which also posts the content of the message from the previous page and puts it into the content box. However I have some issues with it: firstly, wherever ' is used, it becomes \' and wherever " is used, the whole of the rest of the message is blanked out. Can anybody point me in the direction of the solutions I might need to make it so that ' and " both appear normally without cutting the rest of the message off? Thanks in advance & let me know if anything is missing! Would someone tell me how to allow foreign letters, normal english letters and numbers using the preg_replace php function? There are websites like Soundcloud, Soundclick, MySpace and more.
The Question:
How to not get a law suite as a website owner when copyright protected music or in other words music from the retail has gotten uploaded?
Will moderating it and having it frequently taken down do the job?
I know that the users themselves could get researched too. The site owner could get requested to give out IP addresses. Though, I kept this separately from that question.
I basically would be looking to be safe and not get a law suite.
I would appreciate the suggestions a lot.
.dropbtn { background-color: #4CAF50; color: white; padding: 10px; font-size: 16px; border: none; } .dropdown { position: relative; display: inline-block; } .dropdown-content { display: none; position: absolute; background-color: #f1f1f1; min-width: 800px; box-shadow: 0px 8px 16px 0px rgba(0,0,0,0.2); z-index: 1; } .dropdown-content img { width: 32px; height: 32px; margin: 3px; position: relative; float: left; } .dropdown-content a { color: black; padding: 12px 16px; text-decoration: none; display: block; } .dropdown-content a:hover {background-color: #ddd;} .dropdown:hover .dropdown-content {display: block;} .dropdown:hover .dropbtn {background-color: #3e8e41;} /* HIDE RADIO */ [type=radio] { position: absolute; opacity: 0; width: 0; height: 0; } /* IMAGE STYLES */ [type=radio] + img { cursor: pointer; } /* CHECKED STYLES */ [type=radio]:checked + img { outline: 2px solid #f00; } <div class="dropdown"> <button class="dropbtn">Dropdown</button> <div class="dropdown-content"> <form name="form" action="icons-submit/submit_icon-default.php" method="post"> <input type="radio" id="icon_default" name="icon_default" value="icons/default.jpg" onchange='if(this.value != 0) { this.form.submit(); }'> <img src="icons/default.jpg"> <input type="text" id="id" name="id" value=" . $row['id'] . " style="background: transparent;border: none;font-size: 0;"> </form> <form name="form" action="icons-submit/submit_icon-default.php" method="post"> <input type="radio" id="icon_default" name="icon_default" value="icons/default.jpg" onchange='if(this.value != 0) { this.form.submit(); }'> <img src="icons/default.jpg"> <input type="text" id="id" name="id" value=" . $row['id'] . " style="background: transparent;border: none;font-size: 0;"> </form> <form name="form" action="icons-submit/submit_icon-Grass_Block.php" method="post"> <label> <input type="radio" id="icon_grass-block" name="icon_grass-block" value="icons/Grass_Block.png"onchange='if(this.value != 0) { this.form.submit(); }'> <img src="icons/Grass_Block.png"> </label> <input type="text" id="id" name="id" value=" . $row['id'] . " style="background: transparent;border: none;font-size: 0;"> </form> <form name="form" action="icons-submit/submit_icon-gear.php" method="post"> <label> <input type="radio" id="icon_gear" name="icon_gear" value="icons/Gear.png"onchange='if(this.value != 0) { this.form.submit(); }'> <img src="icons/Gear.png"> </label> <input type="text" id="id" name="id" value=" . $row['id'] . " style="background: transparent;border: none;font-size: 0;"> </form> </div> </div>
I have text with an apostrophe (Bill's car) that has been encrypted and decrypted, then inserted into a database. After it is decrypted but before inserting it, I process it with $field1 = mysqli_real_escape_string($cxnA, $field1) When I insert the field and view it in MySQL Query Browser, it shows the converted apostrophe: Bill's car When I select on the field Code: [Select] select * from table1 where field1='Bill\'s car'this returns no records I have to use Code: [Select] select * from table1 where field1='Bill's car'to get the record, which is very inconvenient If I display this field in a browser using <input type='text' name=field1 value='".htmlentities($field1Value, ENT_QUOTES, 'UTF-8')."' maxlength='50'> I get - Bill's car - in the browser, which is not what I want. I have to use <input type='text' name=field1 value='".htmlspecialchars_decode(htmlentities($field1Value, ENT_QUOTES, 'UTF-8'), ENT_QUOTES)."' maxlength='50'> to get Bill's car to display. The strange thing is that when I echo field1 before it is inserted, it shows Bill's car. I have even tried the following to get it to insert the proper value: $field1 = htmlspecialchars_decode(mysqli_real_escape_string($cxnA, $field1), ENT_QUOTES); but this doesn't work either. How do you prevent this from happening? Thanks. hi i was wondering how i would make a website that allowed a user to login and edit there website ... like im a hoster and they can have a webpage on my server... how would i do this? allow them to create a database , and use all types of code? please help me this is important , if i didnt explain good enough please tell me Hello Guys, I check the price field on the server side and I am trying to figure out how to allow a comma in the price field example 2,300 Here is the code I use to check the price. Code: [Select] function check_Price($price,$member_id,$description,$ip){ if (isset($price) && (!is_numeric($price))) { do something here } } Thanks in Advance! Dan Hy! Any help on this topic would be much appreciated. Here is the deal. I need to redirect some countries to another URL. But I need to allow a free access for search engine's bots even if they come from those countries. Here is what I did until now: Used MaxMind PHP API and databases to establish redirect. And then tried to modify the code to redirect ONLY if user is from blocked country AND IS NOT allowed crawler... suprise suprise, it's not working as I imagined:)! Here is the code so far: #!/usr/bin/php -q <?php // This code demonstrates how to lookup the country by IP Address include("geoip.inc"); // Uncomment if querying against GeoIP/Lite City. // include("geoipcity.inc"); $gi = geoip_open("GeoIP.dat",GEOIP_STANDARD); $country = geoip_country_code_by_addr($gi, $_SERVER['REMOTE_ADDR']); geoip_close($gi); $my_countries = array('de', 'se', 'no', 'ee', 'it', 'lv', 'cz', 'dk', 'sk', 'at', 'ch', 'lu', 'nl', 'es', 'hu', 'sg', 'gr', 'ua', 'fi', 'ru', 'cn', 'hk', 'my', 'id', 'us', 'ar', 'mx', 'ec', 'cr', 'py', 'br'); $allowed_spiders = array('Googlebot', 'Yammybot', 'Openbot', 'Yahoo', 'MSNbot', 'Ask Jeeves', 'Teoma', 'Architext spider', 'FAST-WebCrawler', 'Slurp', 'Yahoo Slurp', 'ia_archiver', 'Scooter', 'crawler@fast', 'Crawler', 'InfoSeek sidewinder', 'Lycos_Spider_(T-Rex)'); $agent_name = $_SERVER['HTTP_USER_AGENT']; if (in_array(strtolower($country), $my_countries)) { foreach($allowed_spiders as $s){ if(!strpos($s,$agent_name)){ header('Location: www.REDIRECT URL.com'); } } exit; } ?> How I imagined this code should work is: First check from where is user coming. Then compare GeoIP shortcode for country to shortcodes for banned countries. AND then if traffic is indeed from banned country also check if user agent name has anything in it from an array of allowed spider names (Googlebot can be Googlebot, or Googlebot/2.1 for an example). And if it's not allowed spider then redirect user to another address. I tried many variations of this but nothing seems to work. Each time that I tried to fetch page as a googlebot in webmaster, I got 302 redirection. Any help or guidance here MUCH appreciated. Thank you PHP JEDI in advance !! I know the title is a bit confusing but I wasn't exactly sure how to describe my issue and none of my numerous searches online and here returned any positive results for a solution. What I'm trying to do is allow a user to 'choose' one set from multiple sets of numbers for inclusion into the database. The image below should with the visualization of my goal. As you can see from the above image, there's a "button" to the right that states "keep this set". My goal is to allow the user to click the button and the corresponding set of values is then entered into the database as a string (the values aren't being used in any calculations afterwards just being displayed on screen.) The following code below works for auto-insertion if there's only one set generated but nothing I've attempted so far works when it comes to allowing the user to choose one set they'd like entered. <?php additional code here... echo '<table><tr><td>'; for($i=1; $i<=$Sets; $i++){ $Stat_Results = GenStats($uId, $StartSet, $SetOption); echo "Stat values for ".$SetGenerated[$i]; foreach($Stat_Results as $key => $DisplayStats){ echo $DisplayStats.', '; } if($Sets == 1){ $SetResults = implode(',',$Stat_Results); DB_Insert($uId, $SetResults, $TimeStamp); }else if($Sets >= 2){ echo "</td><td> => <input type='button' name='submit' value='keep this set'></td> <tr><td>"; } } echo '</td></tr></table>'; ?> html below here....Variables: $sId, $StartSet, $SetOption, $Sets, $uId, and $TimeStamp are all set in a section not shown in this snippet. I've tried Javascript but too be honest, I'm not all that familiar with it (though I am trying to become more fluid in it) and I've went so far as to try to create the multiple sets as a dropdown box thinking the user could simply select it from there and it be treated as a dynamic form and php would do the rest. But that didn't work either. The form button for submission is the remnant of the <select> list I tried to generate. The form is no longer there. I left the button in to generate the image you see above and has since been removed from the actual code. I admit, I'm stuck and need some guidance because I can't seem to make this work no matter what I do. I realize $Stat_Results is a multidimensional array and contains all the values of each set in their respective array, but so far, I'm at a stand still on properly retrieving those values for insertion. Thanks to all who read and attempt to help! Edited by Cryotech, 01 December 2014 - 03:08 PM. Hi there, I'm new a this, please help me: I've a page in php, that's showing the content of a table, but i want to put a link on it, to save that content in html file to my local hard disk. Can anyone help me please? Thanks a lot. My server is Linux/Apache/PHP.
When a file is uploaded, I use PHP's finfo_open to confirm that the file have the correct file extension matches and delete them if it doesn't match. I also which file mimi types and size could be uploaded.
Things I do with the files include:
Upload user's files and store them in some public directory (/var/www/html/users_public_directory/), and allow other users to directly download them.
Upload user's files and store them in some private directory (/var/www/users_private_directory/), and allow other users to download them using X-Sendfile.
Upload user's ZIP files and convert them to PDF files (unzip the ZIP file, and uses Libreoffice and Imagemagick's convert to convert them to PDFs).
From the server's prospective, what are the risks of allowing users to upload files? Are there some file types which are more dangerous to the server? Could they be executed on the server, and if so, how could this be prevented?
Hello World, I need some tips on how to make a button that does something like the code below. .......echo '<tr><td align="left"><a href="add_cart.php?pid=' . $row1['item_id'] . '">Add to Cart</a></td>........ I've been messing with html form and button type with no success. This code does the job but I prefer a button. Thanks Hello everybody. Have a good day. I'm Lam, I have problem hope you help me. 1. This is content html Quote <img src="http://example.com/logo.png" /> anti http://google.com<br /> and http://bing.com I want convert to Code: [Select] <img src="http://example.com/logo.png" /> anti <a href="http://google.com">http://google.com</a><br /> and <a href="http://bing.com">http://bing.com</a> and this code php Code: [Select] preg_replace("/(http:\/\/[a-zA-Z-0-9._?\/\s]+)/", "<a href=\"$1\">$1</a>", $content); but result Code: [Select] <img src="[color=red]<a href="http://example.com/logo.png">http://example.com/logo.png</a>[/color]" /> anti <a href="http://google.com">http://google.com</a><br /> and <a href="http://bing.com">http://bing.com</a> I can help me I speak English not well hope u ignoring thanks. To execute code on successfully submitting text input, is this "bare minimum" code secure enough?
if(!empty($_POST["textfield_input"])) { ...or is it best to make sure all 4 of these are confirmed:
if (
The html portion is simply: I've searched on the net about this several times, and see different answers, and it looks like each PHP expert has their favorite.... but I would rather know the "best practices" answer to this. Thank you!!
Edited November 5, 2019 by StevenOliver I now know how to append GET over normal hyperlinks, but I don't know how to do it with form submissions. Here's the problem: I have a form like this one: <form method="GET" action=""> <?php require_once ('sort_category_func.php'); $switch = 1; sort_category ($switch); ?> + Most Liked <input type='checkbox' value='mostLiked' name='mostLiked' /> <br /> <input type="submit" name="sortSubmit" value='Go' /> <br /><br /> </form> And the variables: // DROP DOWN MENU VARIABLES $select_category = $_REQUEST['sort_category']; $most_liked = $_GET['mostLiked']; I'm using a while loop to list user submission, you can also sort them by category which works over GET, this works as long as there is no GET data already in the URL, but as soon as there is GET data it won't work anymore. Here's an example: If I have a user profile page opened like this: profile.php?user=konopkov And a category has been chosen to sort the user's submissions the URL will change to: profile.php?sort_category=Logos INSTEAD it should be: profile.php?user=konopkov&sort_category=Logos As I said I know how to achieve this with hyperlinks now, but I have no clue how do it with form submissions. Any suggestions? Thanks. |