prevent malicious code

mzanimephp

Hi, I have a small message board script which I'm working on, but I have a problem.

function string1($string){ 
$string = str_replace("<","&lt;", $string);
$string = str_replace(">","&gt;", $string);
$string = str_replace("\n", "<br />", $string);
return($string);
}

I told the script to replace all brackets with HTML ASCII characters but now everytime the user hits return it inserts a VISIBLE <br /> tag!

Is there a way for me to use the break tag and also prevent users from posting HTML code?

Here's a URL if this is confusing.
http://www.mzanime.com/bb/index.php?mode=show_post&id=1084762009.txt

sid

try this:

function string1($string){
    return(nl2br(htmlspecialchars($string)));
}

mzanimephp

Something is wrong, or maybe I'm not doing it right...

function string1($string){
//$string = str_replace("<","&lt;", $string);
//$string = str_replace(">","&gt;", $string);
$string = str_replace("\n", "<br />", $string);
return(nl2br(htmlspecialchars($string)));
}

The output of that is:

This is a test of <code>
<br />
<br />as well as line breaks.

function string1($string){ 
    return(nl2br(htmlspecialchars($string))); 
}

And output here is:

this is a test of <code>

It's odd how it stops abruptly.... it doesn't even finish the text when it parses special characters.

eves

why no try using strip_tags ( string str [, string allowable_tags]) , its much easier, bugs on the function have been fixed in php 4+ versions

function format_string($string){
return( strip_tags($string) );
}

mzanimephp

strip_tags gives the same result as sid's method. :o

Any more ideas people?

sid

leave this line out

$string = str_replace("\n", "<br />", $string);

the function [man]nl2br/man takes care of this already.

you can either use my method,

function string1($string){ 
    return nl2br(htmlspecialchars($string)); 
}

or the one eves suggested, like this:

function string1($string){ 
    return nl2br(strip_tags($string)); 
}

the difference will be, that my version will still display the html tags, but not as tags but as encoded html (like < as <, etc.). eves version will get rid of all html tags altogether, unless you want to allow some specific ones. check [man]strip_tags/man for more info.

mzanimephp

Dang it, something must be wrong with my code. I copied your bit of code just as you had typed it. It DID insert the line breaks, but whats odd is that it doesn't continue with the text after the line breaks are inserted. I have no clue as to why but I'm almost ready to throw in the towel. :o

Please take a look at my attachment.

mzanimephp

No one has any clues or advice??

sid

i havent dug too deeply into the code, but i also have no real explanation for this behavior you are talking about. ill take a look at it again later.