Strip Tags

bigrollerdave

Ok i need to strip all html/javascript tags before its entered into the database here is the code i have

<?php session_start();?>
<?
include ("includes/db.php");
$Sess_UserId = $_SESSION['Sess_UserId'];

include ("logincheck.php");

if($_POST)
{
	$text = $_POST['text'];
	$font = $_POST['fontselect'];
	$size = $_POST['sizeselect'];
	$color = $_POST['colorselect'];
	$bgcolor = $_POST['bgcolorselect'];
	$post = $_POST['postselect'];
	mysql_query("update members set signature = '$text',font='$font', post='$post', size='$size', color='$color', bgcolor='$bgcolor' where mem_userid=$Sess_UserId");
	if(mysql_affected_rows()>=1)
		$msg = "Preference Updated!";
}
	$search = array ("'<script[^>]*?>.*?</script>'si",  // Strip out javascript
					 "/\>/si",          // Strip out HTML tags
					 "/\</si",          // Strip out HTML tags
					 "/\"/"
					 );
	$replace = array ("",
					 "&gt;",
					 "&lt;",
					 "&quot;"
					);


$text = preg_replace($search, $replace, $text);

$preference = mysql_fetch_object(mysql_query("SELECT * from members where members.mem_userid = '$Sess_UserId'"));
?>

That doesnt work = /

thorpe

you need to loop through your arrays.

for ($i=0;$i<=count($search);$i++) {
  $text = preg_replace($search[$i], $replace[$i], $text);
}