|
PHP - Disabling Html In User Input
Ok so I got BB Code working. Now I want to prevent Users from inserting HTML into Posts. I have the following:
$PostText = mysql_escape_string($_POST['replytext']); $Replace = Array ('/(<)(.+)(>)/','/(<\/)(.+)(>)/'); $ReplaceWith = Array ('<\\2>','</\\2>'); $PostText = preg_replace($Replace, $ReplaceWith, $PostText); Now If I were to input Code: [Select] <a href=http://phpfreaks.net>Php Freaks</a>Into a forum reply it would return: Code: [Select] <a href=http://phpfreaks.net>Php Freaks When Checking the database it has: Code: [Select] <a href=http://phpfreaks.net>Php Freaks</a> Any help on solving this? Similar TutorialsThe PHP code sends me an email from the server, but the user input is empty or "blank". I only receive: "From: \ Email: \ Subject: \ Message: " and that's it. How do I fix my PHP and/or HTML code to receive user input from the form? Attached is my existing HTML and PHP code that doesn't send me any "user input" from the form. Thanks to anyone who can help!!
I let my users to post what they would like as a text, today I noticed that I forgot disabling htlm chars, so they can even post textbox's htlm code and create a textbox in the posting section, Is there any way/function to prevent this ? Hey guys! I'm pretty new to php and starting work on a project, the first part I'm working on is a html page with text fields like this: Quote URL: Dropdown box: Submit when the submit happens I want it to post to a php page, parse whatever is inside a set of <h2> tags and print it to to the php page, also the user selects four options from the dropdown box and I need to print the string contained in the selection to the next page as well, As I said I'm pretty new but here's what i threw together so far based on references I found, but it doesn't work correctly: parse.html: Code: [Select] <html> <body> <form action="parse.php" method="post"> URL: <input type="text" name="turl" /> <br> Option: <select name="selectskill"> <option value="1">Low</option> <option value="2">Mid</option> <option value="3">High</option> <option value="4">Known</option> </select> <br> <br> <input type="submit" /> </form> </body> </html> parse.php: Code: [Select] <html> <head></head> <body> <?php $lol = $_POST["turl"]; $str = file_get_contents($lol); $DOM = new DOMDocument; $DOM->loadHTML($str); // Grab text inside the heading 2 tags $items = $DOM->getElementsByTagName('h2'); echo "option: " . $lol; // Display the content inside the second set of H2 tags echo $items->item(1)->nodeValue . "<br/>"; ?> </body> </head> </html> Thanks for all the help in advance! Hi, what is they best way to validate user input of strings? A couple of examples would be : 1> If i wanted to check for the existance on the coma ',' character in a string and replace it with a dash '-' character? 2> To check wether a user has entered a valid ip address in the form of x.x.x.x where x can range from 0-255? I think i may need ereg/preg to do this but i have no idea about how to layout the syntax. Thanks for looking. OK so i have a textfield and i have everything going to the database and then displaying on the page. Now is there a way to display code on the page but disable it from executing? There are some break tags in there so i would still like them to be executed on the page. I appreciate your help guys. I was able to do something to the code. Now it looks like this: <?php include "include/dbc.php"; include "include/header.inc"; ?> <script type="text/javascript"> <!--Hide Code // Function Statements //Function to confirm submit function confirmSubmit() { var submitform = window.confirm("Are you sure you want to submit the activities?"); if (submitform == true) return validateForm(); return false; } // End Hide--> </script> <style type="text/css"> .mydate{ color:#00F; text-decoration:underline; cursor:pointer; } </style> <script type="text/javascript"> function displayDate(d){ var date=new Date(); var D=date.getDate(); date.setDate(D+d); var YYYY=date.getFullYear(); var MM=date.getMonth()+1; MM<10?MM='0'+MM:null; var DD=date.getDate(); DD<10?DD='0'+DD:null; var span=document.getElementById('date'); span.innerHTML= 'Entries for '+MM+'/'+DD+'/'+YYYY; } onload=function(){displayDate(0)}; </script> <h1>Food Diary</h1> <div class="full"> <center><div><span class="mydate" onclick="displayDate(-1)"><img src="images/left_arrow.png" border="0">Yesterday</span> <span id="date" style="font-size:2em;"></span> <span class="mydate" onclick="displayDate(1)">Tomorrow<img src="images/right_arrow.png" border="0"></span></div><br /> <a href="#" onclick="displayDate(0);return false;">Today</a> </center> <div class="full"> <form name="exercise" id="exercise" method="GET" action=""> <center><table> <tr> <td><h3>Add an Activity</h3></td> </tr> <tr> <td><input name="NewSearchString" style="width: 100px" type="text"/> <input type="submit" value="Search" /> </td> </tr> <tr> <td> <select name="activity"> <option value="_">Activity Browse...</option> <option value="all">All Activities</option> <option value="biking">Biking</option> <option value="condition">Conditioning</option> <option value="dancing">Dancing</option> <option value="fish">Fishing & Hunting</option> <option value="Home">Home Activities</option> <option value="misc">Miscellaneous</option> <option value="music">Music Playing</option> <option value="occupation">Occupation</option> <option value="running">Running</option> <option value="sports">Sports</option> <option value="walking">Walking</option> <option value="water">Water Activities</option> <option value="winter">Winter Activities</option> </select> <input type="submit" value="Submit" /></td></tr></table></center></form> </td> </tr> </table> </center> <table width="100%"> <tr bgcolor="#66CC33"> <td><div>Activity</div></td> <td><div>Specific Activity</div></td> <td><div>Time (hh:mm)</div></td> <td><div>Distance</div></td> <td><div>Units</div></td> </tr> <tr bgcolor="#66CC33"> <td><div></div></td> <td><div></div></td> <td><div></div></td> <td><div class="Float"></div></td> <td class="cp_Distance"><div></div></td> </tr> <?php if(isset($_GET[activity])) { $category=$_GET[activity]; $result = mysql_query("SELECT * FROM exercise WHERE type='$category'"); ?> <form action="add_activity.php" method="POST"> <?php while($row = mysql_fetch_array($result)) { echo '<tr><td><div>'.$row[Type].'</div></td>'; echo '<td><div>'.$row[Name].'<input type="hidden" name="exerciseid" value="'.$row[Name].'"></div></td>'; echo '<td><div><input type="text" name="duration['.$row['Name'].']"></div></td>'; echo '<td><div><input type="text" name="distance['.$row['Name'].']"></div></td>'; echo '<td><div><select> <option value="mile" name="mile">mile</option> <option value="Km" name="Km">km</option> <option value="M" name="M">m</option> <option value="Yard" name="yard">yrd</option> <option value="Feet" name="feet">ft</option> </select></div></td></tr>'; } mysql_close(); ?> <tr><td colspan="6" align="center"><input type="submit" name="submit" value="Add Activities"></td></tr> </form> <?php } ?> <tr bgcolor="#66CC33"> <td><div></div></td> <td><div></div></td> <td><div></div></td> <td><div class="Float"></div></td> <td class="cp_Distance"><div></div></td> </tr></table> This somewhat works. The problem is that this code passes all the activities to the second page, where the output looks like this: Array ( [exerciseid] => Hunting, general [duration] => Array ( [Fishing from boat, sitting] => 20 [Fishing from river bank, standing] => [Fishing in stream, in waders] => [Fishing, general] => [Fishing, ice, sitting] => [Hunting, general] => ) [distance] => Array ( [Fishing from boat, sitting] => 25 [Fishing from river bank, standing] => [Fishing in stream, in waders] => [Fishing, general] => [Fishing, ice, sitting] => [Hunting, general] => ) [submit] => Add Activities ) Is there a way I can pass what the user input instead of passing everything (form validation maybe?) Hello, Firstly I am only just learning php so please bear with me. What I want to be able to do is for a user to be able to enter a youtube url eg: Code: [Select] http://www.youtube.com/watch?v=8xz7ShMCWls I want the scrip to take the video ID (after watch?v=) and append it into a html embed code for our forums that do not have the feature to auto embed a youtube vid. Code: [Select] <p> <img height="350" width="425" class="fw_media_youtube fw-parse" alt="YouTube-AFTER WATCH?V=CODE" src="http://thumbs.webs.com/Platform/mediaPreview.jsp?type=YouTube&id=AFTER WATCH?V=CODE"/></p> Where you see AFTER WATCH?V=CODE is where I want it to place the video id and then return this completed code for the user to copy and paste: Code: [Select] <p> <img height="350" width="425" class="fw_media_youtube fw-parse" alt="YouTube-8xz7ShMCWls" src="http://thumbs.webs.com/Platform/mediaPreview.jsp?type=YouTube&id=8xz7ShMCWls"/></p> How would I be able to get this done. I do not expect to be spoon fed but just a litlle help please. Thank you so much if you do help. Hi, I'm using the form data type 'date', and trying to verify it. It seems a little too complicated to check that it's in the correct format (with "/" between day/month/year), unless I use regular expression, which I don't know much about and seems feels like there's an alternate solution or it's not necessary. Currently, the script accepts DD*MM*YYYY, where * is any character, since it just strips the 3rd and 6th character and checks the day/month/year using checkdate(). I'm not even sure if this is a problem. I am giving the user a "verify" page, where I could put it in the correct format (DD/MM/YYYY), but is that enough? Feel like I'm missing something here, so any feedback would be great hello all, i have a php form with multiple submits (one calculates price, one checks date and one submits the form and the data to mysql database) when i hit calculate price, for example, the function works fine but all the fields are cleared and i would like for all the input to remain as the user sent. here is part of the code (the form): Code: [Select] <form action="<?php echo $_SERVER['PHP_SELF'];?>" method="post"> <fieldset> <legend ><span><a>video</span></a></legend> <ol> <li> <label for="hover_camera">hover camera</label> <input id="hover_camera" type="radio" name="hover_camera" value="yes" /><b>yes</b> <input id="hover_camera" type="radio" name="hover_camera" value="no" /><b>no</b> </li> <li> <label for="video_photographers">video photographers</label> <input id="video_photographers" type="text" name="video_photographers" maxlength="1" size="1"/> </li> <li> <label for="video_edit">video edit</label> <input id="video_edit" type="radio" name="video_edit" value="short" /><b>short</b> <input id="video_edit" type="radio" name="video_edit" value="long" /><b>long</b> </li> <li> <label for="video_clip">video clip</label> <select name="video_clip"> <option value="no">no</option> <option value="regular">regular</option> <option value="staged">staged</option> </select> </li> </ol> </fieldset><br /> <fieldset align="right"> <legend><span><a>stills</span></a></legend> <ol> <li> <label for="stills">stills</label> <input id="stills" type="text" name="stills" maxlength="1" size="1" /> </li> <li> <label for="increase">increase amount</label> <input id="increase" type="text" name="increase" maxlength="4" size="1" /> </li> <li> <label for="magnets">magnets</label> <input id="magnets" type="text" name="magnets" maxlength="4" size="1" /> </ol> </fieldset><br /> <fieldset align="right"> <legend><span><a>albums</span></a></legend> <ol> <li> <label for="digital_album">digital album</label> <input id="digital_album" type="radio" name="digital_album" value="yes" /><b>yes</b> <input id="digital_album" type="radio" name="digital_album" value="no" /><b>no</b> </li> <li> <label for="photo_album">photo album</label> <input id="photo_album" type="radio" name="photo_album" value="yes" /><b>yes</b> <input id="photo_album" type="radio" name="photo_album" value="no" /><b>no</b> </li> <li> <label for="small_digital_album">small digital album</label> <input id="small_digital_album" type="radio" name="small_digital_album" value="yes" /><b>yes</b> <input id="small_digital_album" type="radio" name="small_digital_album" value="no" /><b>no</b> </li> </ol> </fieldset><br /> <fieldset align="right"> <ol> <li> <label for="comments">comments</label> <textarea id="comments" name="comments"></textarea><br /><br /> </li> <li> <label for="price">price</label> <td><input type="submit" id = "price" name="price" value="calculate price" /></td> </li> </ol> </fieldset><br /> <fieldset align="right"> <legend><span><a>choose date</span></a></legend> <ol> <li> <input type="submit" id="isavailable" name="isavailable" value="isavailable" /> </li> </ol> </fieldset> <fieldset class="submit"> <ol> <li> <input class="submit" type="submit" id="submit" name="submit" value="done!" /> <input class="submit" type="reset" id="reset" name="reset" value="reset" /> </li> </ol> </fieldset> </form> thanks for the help Hi, How do I generate a Google Map from user registration form? For example, user enters username, password, and address. I want to show the username, address + corresponding map on following confirmation page. I have already used static API to render the map as an image, but this is hard-coded. I don't know how to pass the address into the address param. Any help would be much appreciated. Thanks! Hello, I'm creating an application where a user can input there own CSS. The problem I'm having is understanding if this will open security holes if... 1. Users input is saved to a file called style.css 2. Each user is on their own a sub-domain from my reseller hosting plan. 3. The style.css file will be included in the page code like so: Code: [Select] <link type='text/css' rel='stylesheet' href='style.css' /> Any advice? I have a page that has roughly 100 text input fields. Once the user is done, I need to put the data in my mysql db. How do I get the data from the user input page to the php page that will process the data (e.g. process.php)? I've done some searching and found a few possibilities use a ajax style call back to load a seperate asp page (e.g. createsession.asp) and that page set session variables that can then be read by process.php write everything to a cookie using some sort of a delimiter so that it can handle multiple variables (e.g. cookie data => var1/var2/var3/var4... write all the data to a text file and then have process.php load that file Which should I pursue? Is there a better option? Well this may sound confusing. I tried to findways to allow users to input an integer value and then assign it to a variable called $quantity, but all I could find from the internet was the usage of forms. Do I have to use forms, or can I just try this this simple syntax: $quantity = "<input name='quantity' type='text' id='quantity' size='3' maxlength='3'>"; If I do have to use forms, then how can I ever assign user's input value to a variable? Please help. I have a form a user may submit which has a text area. If the user enters "Today is the first day of the week" it will be stored in the database like that (note the carriage returns etc). If I then get that data from the table and echo it, it will print as 'Today is the first day of the week'. How can I print it so that it will retain the user's input formatting/the formatting shown stored in the table? I have a family site with a member list and a forum that both run on MySql. One of the items in the member list is the birthday. What I like to achieve is that a day or 2 before a member's birthday, a post wil be automaticly inserted in the forum, (a post that contains that this persons birthday is comming up in a few days) without any user input. I like to have this done automaticly because I don't feel like setting up a cron job for every member seperatly. There are just too many members. What I need is a script that will create a cron job or something simular the moment a new member registers and updates his profile and sets his birthday. I manage a simple website for a small business - nothin fancy. I'm interested using some php to enhance the site a bit. I'm looking to accept some user input and put it into a database then display it back to them on another page. What php functions would be best to use to accomplish this? Thanks for the input! The code below is a function that checks to see if an email address exists in a database, if so it alerts the user. The db has one table and one field. It works fine when there is ONE record! However, if there are > 1 it doesn't work. How can I step through each record and compare it to what the user entered? Of course, $_POST is the user's value and the db record is the $myAddy value. <?php function emailLookup() { include ('file:///Library/WebServer/Documents/re_connect_scripts/emailLookup.php'); while ($row = mysqli_fetch_array($result)) { extract ($row); $myAddy = $addy; } if ($_POST["add_email"] == $myAddy) { global $lookupError; $lookupError = 'This email address is already on the list.'; global $counter; $counter++; } else { return; } } ?> I am trying to keep the user input clean with this script but can't figure out what is wrong with it. the error I am getting is Warning: preg_match() expects parameter 1 to be string, $bad_strings = array( "content-type:", "mime-version:", "multipart/mixed", "Content-Transfer-Encoding:", "bcc:", "cc:", "to:", ); if (preg_match($bad_strings, $first_name)) { die; Set up: * XAMPP 1.7.3 * Apache 2.2.14 (IPv6 enabled) + OpenSSL 0.9.8l * MySQL 5.1.41 + PBXT engine * PHP 5.3.1 * phpMyAdmin 3.2.4 * Perl 5.10.1 * FileZilla FTP Server 0.9.33 * Mercury Mail Transport System 4.72 I'm trying to set up a multipage registration script. It's tuff! I've set up some basic scripts to distribute variables into the correct tables from previous forms using a session. But I want the script to check the input from form one is valid before it moves on to form 2. Here are my scripts: form 1: <html> <head> <title>Register</title> <style type="text/css"> td { vertical-align: top; } </style> </head> <body> <form action="form2.php" method="post"> <table> <tr> <td><label for="name">Username:</label></td> <td><input type="text" name="name" id="name" size="20" maxlength="20" value=""/></td> </tr><tr> <td><label for="password">Password:</label></td> <td><input type="password" name="password" id="password" size="20" maxlength="20" value=""/></td> </tr><tr> <td><label for="first_name">First name:</label></td> <td><input type="text" name="first_name" id="first_name" size="20" maxlength="20" value=""/></td> </tr><tr> <td><label for="last_name">Last name:</label></td> <td><input type="text" name="last_name" id="last_name" size="20" maxlength="20" value=""/></td> </tr><tr> <td><label for="email">Email:</label></td> <td><input type="text" name="email" id="email" size="20" maxlength="50" value=""/></td> </tr><tr> <td><label for="address">Address:</label></td> <td><input type="text" name="address" id="address" size="20" maxlength="20" value=""/></td> </tr><tr> <td><label for="city">City/Town:</label></td> <td><input type="text" name="city" id="city" size="20" maxlength="20" value=""/></td> </tr><tr> <td><label for="county">County:</label></td> <td><input type="text" name="county" id="county" size="20" maxlength="20" value=""/></td> </tr><tr> <td><label for="post">Postcode:</label></td> <td><input type="text" name="post" id="post" size="20" maxlength="20" value=""/></td> </tr><tr> <td><label for="home">Home Number:</label></td> <td><input type="text" name="home" id="home" size="20" maxlength="20" value=""/></td> </tr><tr> <td><label for="mobile">Mobile:</label></td> <td><input type="text" name="mobile" id="mobile" size="20" maxlength="20" value=""/></td> </tr><tr> <td> </td> <td><input type="submit" name="submit" value="Sumbit"/></td> </tr> </table> </form> </body> </html> Form 2: <?php //let's start the session session_start(); //now, let's register our session variables session_register('name'); session_register('password'); session_register('first_name'); session_register('last_name'); session_register('email'); session_register('address'); session_register('city'); session_register('county'); session_register('post'); session_register('home'); session_register('mobile'); //finally, let's store our posted values in the session variables $_SESSION['name'] = $_POST['name']; $_SESSION['password'] = $_POST['password']; $_SESSION['first_name'] = $_POST['first_name']; $_SESSION['last_name'] = $_POST['last_name']; $_SESSION['email'] = $_POST['email']; $_SESSION['address'] = $_POST['address']; $_SESSION['city'] = $_POST['city']; $_SESSION['county'] = $_POST['county']; $_SESSION['post'] = $_POST['post']; $_SESSION['home'] = $_POST['home']; $_SESSION['mobile'] = $_POST['mobile']; ?> <html> <head> <title>Register</title> <style type="text/css"> td { vertical-align: top; } </style> </head> <body> <form action="form3.php" method="post"> <table> <tr> <td><label for="bio">Biography:</label></td> <td><input type="text" name="bio" id="bio" size="400" maxlength="500" value=""/></td> </tr><tr> <td> </td> <td><input type="submit" name="submit" value="Sumbit"/></td> </tr> </table> </form> </body> </html> I've also got form3.php and process_forms.php(that's where I mysql_real_escape_string and input the data) but that's probably not relevant. How would I get this to work? Are there any sites I should look at that you'd recommend? Any help appreciated. |
|||||||