[RESOLVED] string find and replace?

atokatim · May 26, 2006

Ok...here is another one for you all. What would be the easiest way to check if a string has a certain text in it. If it does not, add it, but if it does, do nothing. I don't want it to be case sensitive either.

Inputed text : <embed src="http://www.somesite.com/flash.swf">

output text : <embed allowscriptaccess="never" src="http://www.somesite.com/flash.swf">

if inputed like this : <embed allowscriptaccess="never" src="http://www.somesite.com/flash.swf">

or : <EmBed allowscriptaccess="never" src="http://www.somesite.com/flash.swf">

comes out as : <embed allowscriptaccess="never" src="http://www.somesite.com/flash.swf">

here is what i have been trying :

if (!is_int(strpos('<embed allowscriptaccess="never" ', $about))){
	$about = str_replace("<embed ", '<embed allowscriptaccess="never" ', $about);
}

// or.....

if (strpos('<embed allowscriptaccess="never" ', $about) === false){
	$about = str_replace("<embed ", '<embed allowscriptaccess="never" ', $about);
}

any ideas?

atokatim · May 26, 2006

nevermind, i got it.

i used :

$isembed = eregi('<embed allowscriptaccess=', $toreplace);
if($isembed != 1){
	$toreplace = eregi_replace("<embed ", '<embed allowscriptaccess="never" ', $toreplace);
}

atokatim · May 26, 2006

ok, i thought i got it, but i removed a vital part of the script.

How would you get the eregi() function to check for " ? i need to look for <embed allowscriptaccess="never" with the quotes. that seems to be my problem. any ideas?

laserlight · May 26, 2006

Basically, for every embed tag (which is non-standard, by the way) that does not have the attribute allowscriptaccess="never", you want to add that attribute?

atokatim · May 26, 2006

yes, if a user enters any <embed> command in their profile, it will add allowscriptaccess="never" this is to prevent any javascript attacks on users through any flash content that may call for javascripts

laserlight · May 26, 2006

hmm... this seems to work:

$text = preg_replace('#\<embed(.*?)\>#i', '<embed allowscriptaccess="never"\1>', $text);

There is no need to check for a match first since the replacing must find a match before any replace can take place.

atokatim · May 26, 2006

well, that worked...but....if <embed allowscriptaccess="never" is already there, it still puts another allowscriptaccess="never"

if i run it again, it adds another one. is there a way to check to see if allowscriptaccess="never" is already there? If it is, don't do anything?

laserlight · May 26, 2006

if i run it again, it adds another one. is there a way to check to see if allowscriptaccess="never" is already there? If it is, don't do anything?

hmm... looks like I was mistaken then. One does have to scan for that first.

if (preg_match('#<embed.*?allowscriptaccess=(\'|")?never(\'|")?.*?>#i', $text) == 0) {
	$text = preg_replace('#<embed(.*?)>#i', '<embed allowscriptaccess="never"\1>', $text);
}

atokatim · May 26, 2006

Still not working it is still adding another allowscriptaccess="never" blah....i know if there is a will, there is a way!

oh....and it cannot be case sensitive either just incase someone uses <EMBED AllowScriptAccess="never" I swear i ask of too much, but i really appreciate you helping me!

laserlight · May 26, 2006

hmm... are you having problems when there are more than one embed tag? Logically that is rather unlikely to happen, but I dont think my regex handles it.

and it cannot be case sensitive either just incase someone uses <EMBED AllowScriptAccess="never"

It isnt case sensitive.

Weedpacket · May 26, 2006

Modifying laserlight's code to put a negative assertion in:

 $text = preg_replace('#<embed((?:(?!allowscriptaccess="never").)*?)>#i', '<embed allowscriptaccess="never"\1>', $text);

Of course, as laserlight noted, <embed> has been deprecated, in favour of <object>.

atokatim · May 26, 2006

i am using this in a function so that when someone updates their profile, it removes all the things that i do not allow and adds the allowsriptaccess="never" to any embed code that may be in it....no matter how many there are.

still does not work

here is my code...

function filterout($toreplace) 
{
if($toreplace != ""){
	$toreplace = eregi_replace("<script", "<..", $toreplace);
	$toreplace = eregi_replace("</script>", "</..>", $toreplace);
	$toreplace = str_replace("<?", "", $toreplace);
	$toreplace = str_replace("?>", "", $toreplace);
	//$embedcode = '<embed allowscriptaccess=[\"]never(\")';
	//$isembed = eregi($embedcode, $toreplace);
	//if($isembed != 1){
	//	$toreplace = eregi_replace("<embed ", $embedcode, $toreplace);
	//}
	if (preg_match('#<embed.*?allowscriptaccess=(\'|")?never(\'|")?.*?>#i', $toreplace) == 0) {
		$toreplace = preg_replace('#<embed(.*?)>#i', '<embed allowscriptaccess="never"\1>', $toreplace);
	}
}
return $toreplace;
}

atokatim · May 26, 2006

anyone?

atokatim · May 26, 2006

If i took out the quotes in the string that i am trying to find, will that work?

function filterout($toreplace) 
{
if($toreplace != ""){
	$toreplace = eregi_replace("<object", "<..", $toreplace);
	$toreplace = eregi_replace("</object", "</..", $toreplace);
	$toreplace = eregi_replace("<script", "<..", $toreplace);
	$toreplace = eregi_replace("</script", "</..", $toreplace);
	$toreplace = str_replace("<?", "", $toreplace);
	$toreplace = str_replace("?>", "", $toreplace);
	$embedcode = '<embed allowscriptaccess=never';
	$isembed = eregi($embedcode, $toreplace);
	echo $isembed; // Debugging Purposes.
	if($isembed != 1){
		$toreplace = eregi_replace("<embed ", "<embed allowscriptaccess=never ", $toreplace);
	}
}
return $toreplace;
}

the allowscriptaccess=never cannot be overwritten somewhere down in the embed code by allowscriptaccess="always" can it?

example : <embed allowscriptaccess=never src="http://www.somesite.com/flash.swf" allowscriptaccess="always">

would that still not allow script access?

Weedpacket · May 26, 2006

See reply above?

atokatim · May 26, 2006

I tried that, and it worked to replace <embed allowscriptaccess="never", but it kept on adding more allowscriptaccess="never" even if there was one already there.

atokatim · May 26, 2006

This is what i am trying to do in the best way that i can explain this.....

A user has the ability to add code to their profile on my site. I am trying to create a function that will clean up the code if the user is using any html and it is something that i do not want to allow. I have everything working except for if a user enters the <embed> code.

For the embed code, I want to add allowscriptaccess="never" (with or without the quotes) if ANY of the <embed> commands DO NOT already have that in it.

If i enter :

<embed allowscriptaccess=never src="flash.swf">

into one textarea, i want the code to come back as :
<embed allowscriptaccess="never" src="flash.swf"><br>
<embed allowscriptaccess="never" src="flash2.swf"><br>
<embed allowscriptaccess="never" src="flash3.swf"><Br>
<embed allowscriptaccess="never" src="flash.swf">

How would i do this? The problem that i have is i cannot check to see if the <embed> code already has allowscriptaccess="never" because of the quotes.

Weedpacket · May 27, 2006

Or strip all existing occurrences of allowscriptaccess="never" out of any embed tags that contain it, and then you won't have to check it's there when you're putting it in.

In fact, you'd want to strip all occurrences of "allowscriptaccess" attributes, whatever their value, won't you? Don't forget, too, that there can be whitespace between the = and the attribute name and/or value. To deal with different quoting styles it may be easier to deal with ", ' and separately - so that's three expressions. Which I think are

#<embed([^>]*)allowscriptacess\s*=\s*'[^']*'([^>]*)>#i
#<embed([^>]*)allowscriptacess\s*=\s*"[^"]*"([^>]*)>#i
and finally
#<embed([^>]*)allowscriptacess\s*=\s*[^ >]*([^>]*)>#i
each replaced with
<embed$1 $2>

After that it's trivial to just put 'allowscriptaccess="never"' into all <embed> tags.

What would also be simpler (at least, in PHP5) would be to use the DOM extension:

$doc = @DOMDocument::loadHTML($string);
$embed_tags = $doc->getElementsByTagName("embed");
for($i=0; $i<$embed_tags->length; ++$i)
	$embed_tags->item($i)->setAttribute("allowscriptaccess","never");
echo $doc->saveHTML();

Two drawbacks: since <embed> is not a valid HTML tag, the loadHTML() method needs to have its error messages suppressed with @; and the output HTML ends up with additional tags added so that the string is valid HTML. Well, three drawbacks: it assumes the input is HTML, not text with a few HTML tags thrown in....

comeonbaby · May 27, 2006

try this please:

$text = str_replace("\\\"", "\"", $text);		
$text = preg_replace("/ allowscriptaccess=[^ ]*never[^ ]*/i", "", $text);
$text = preg_replace("/<embed /i", "<embed allowscriptaccess=\"never\" ", $text);

:p

comeonbaby · May 27, 2006

i test it worked well, this is my test code:
test.php
<?php
$text = $REQUEST['text'];
if (!empty($submit))
{
$text = str_replace("\\"", "\"", $text);
$text = preg_replace("/ allowscriptaccess=[^ ]never[^ ]/i", "", $text);
$text = preg_replace("/<embed /i", "<embed allowscriptaccess=\"never\" ", $text);
}
?>
<form action="<?php echo $SERVER['PHP_SELF']; ?>">
<textarea name="text" rows="10" cols="150"></textarea><br>
<textarea name="text2" rows="10" cols="150">
<?php
echo $text;
?></textarea>
<input type="submit" name="submit" value="submit">
</form>