Jump to content

Prevent '<' and '>' Signs in Posts?

Guest

By Guest
in PHP Coding Help

 Share

Recommended Posts

Guest

Guest

Posted
Posted

How can I prevent the less than and greater than signs in the username field, and message on the post?    As well as slashes. / \.

 

<form method="post" action="" id="reply">
					<script type="text/javascript">
					function hi(id){
						var val = id.options[id.selectedIndex].value;
						var text = id.options[id.selectedIndex].text;
						if (val.length != 0){document.getElementById('user').value = text;hide('passrow');}
						else { 
							document.getElementById('user').value = '';
							document.getElementById('passrow').style.cssText = '';
						}
					}
					</script>

					<div id="userpass" style="background: #000;">
						<table style="border: 2px solid #252564; background: #1F1F5D;" width="100%" cellpadding="0" class="quick_userpass">
							<tr>
								<td background="/images/bg3.jpg" height="26px"><font face=arial size=2 color="white">   <b>Your Name or Nickname</b></td>
							</tr>
							<tr>
								<td><input size=50 name="user" id="user" value="" style="margin-left: 10px;"></td>
							</tr>
							<tr><td background="/images/bg3.jpg" height=26px></td></tr>
						</table>

						<div id="passrow" style="">
							<p>
							<table width=100% cellpadding=0 class="quick_userpass" style="border: 2px solid #252564; background: #1F1F5D;">
								<tr><td background="/images/bg3.jpg" height=26px style=""><font face=arial size=2 color="white">   <b>Password (optional)</b></td></tr>
								<tr><td style=""><input size=50 name="pass" id="pass" type="password" style="margin-left: 10px;"  value=""></td></tr>
								<tr><td background="/images/bg3.jpg" height=26px></td></tr>
							</table>
							</p>
						</div>

						<p>
							<table width=100% cellspacing=0 cellpadding=4 class="quick_userpass" style="border: 2px solid #252564; background: #1F1F5D;">
								<tr bgcolor="#121236"><td><font face=arial size=2 color="white"><b>Enter your message here</b></font></td></tr>
								<tr><td><center><textarea id="quickreply" name="message" rows=10 cols=50 wrap="VIRTUAL" ></textarea></center></td></tr>
							</table>
							<div id="preview" style="display: none;"></div>
						</p>
						<br />
						<center>
							<font face=arial size=2>When you're happy with your message, click:</font>
							<div id="javano"><input type="submit" value=" Post Message "></div>
						</center>
						<input type="hidden" name="tid" value="<?php echo $_GET["tid"];?>" />
					</div>
				</form>

 

 

That is the code I'm using for User/Pass/message fields.

Link to comment
Share on other sites
Guest

Guest

Posted
Posted

Ok, I figured out how to replace one character per script...can I do 2+ characters per script?

 

<script type="text/javascript">

var str=">";
document.write(str.replace(">","../."));

</script>

 

 

Would I just paste "var str=">";" under the first var str=">"; ?

Link to comment
Share on other sites
darkfreaks Advanced Member

darkfreaks

Posted
Posted 

function html2entities(sometext){
var re=/[(<>"'&]/g
arguments[i].value=sometext.replace(re, function(m){return replacechar(m)})
}

function replacechar(match){
if (match=="<")
  return "<"
else if (match==">")
  return ">"
else if (match=="\"")
  return """
else if (match=="'")
  return "&#039;"
else if (match=="&")
  return "&"
}

html2entities(document.form.namefield.value) //replace "<", ">", "&" and quotes in a form field with corresponding HTML entity instead

 

 

Link to comment
Share on other sites
darkfreaks Advanced Member

darkfreaks

Posted
Posted

the JavaScript functions can be called in your JavaScript tags.

 

 

maybe you should read how JavaScript functions work abit then implement those functions the right way but as pikachu mentioned that only works user side you also need to do it in PHP. or else people who have JavaScript disabled will have a problem.

 

 

you can use either str_replace or strip_tags to remove < > tags.

Link to comment
Share on other sites
Guest

Guest

Posted
Posted

Would these 2 codes benefit me and only effect the user/message field?  If not, how can I do that?

 

<?php

function msword_conversion($str) 
{ 
$str = str_replace(chr(130), ',', $str);    // baseline single quote
$str = str_replace(chr(131), 'NLG', $str);  // florin
$str = str_replace(chr(132), '"', $str);    // baseline double quote
$str = str_replace(chr(133), '...', $str);  // ellipsis
$str = str_replace(chr(134), '**', $str);   // dagger (a second footnote)
$str = str_replace(chr(135), '***', $str);  // double dagger (a third footnote)
$str = str_replace(chr(136), '^', $str);    // circumflex accent
$str = str_replace(chr(137), 'o/oo', $str); // permile
$str = str_replace(chr(138), 'Sh', $str);   // S Hacek
$str = str_replace(chr(139), '<', $str);    // left single guillemet
// $str = str_replace(chr(140), 'OE', $str);   // OE ligature
$str = str_replace(chr(145), "'", $str);    // left single quote
$str = str_replace(chr(146), "'", $str);    // right single quote
// $str = str_replace(chr(147), '"', $str);    // left double quote
// $str = str_replace(chr(148), '"', $str);    // right double quote
$str = str_replace(chr(149), '-', $str);    // bullet
$str = str_replace(chr(150), '-–', $str);    // endash
$str = str_replace(chr(151), '--', $str);   // emdash
// $str = str_replace(chr(152), '~', $str);    // tilde accent
// $str = str_replace(chr(153), '(TM)', $str); // trademark ligature
$str = str_replace(chr(154), 'sh', $str);   // s Hacek
$str = str_replace(chr(155), '>', $str);    // right single guillemet
// $str = str_replace(chr(156), 'oe', $str);   // oe ligature
$str = str_replace(chr(159), 'Y', $str);    // Y Dieresis
$str = str_replace('°C', '°C', $str);    // Celcius is used quite a lot so it makes sense to add this in
$str = str_replace('£', '£', $str); 
$str = str_replace("'", "'", $str);
$str = str_replace('"', '"', $str);
$str = str_replace('–', '–', $str);

return $str;
}

?>

 

<?php 
function fix_unsafe_attributes($s) { 
  $out = false; 
  while (preg_match('/<([A-Za-z])[^>]*?>/', $s, $i, PREG_OFFSET_CAPTURE)) { // find where the tag begins 
    $i = $i[1][1]+1; 
    $out.= substr($s, 0, $i); 
    $s = substr($s, $i); 

    // scan attributes and find odd " and ' 
    while (((($i1 = strpos($s, '"')) || 1) && (($i2 = strpos($s, '\'')) || 1)) && ($i1 !== false || $i2 !== false) && 
           (($i = (int)(($i1 !== false) && ($i2 !== false) ? ($i1 < $i2 ? $i1 : $i2) : ($i1 == false ? $i2 : $i1))) !== false) && 
           ((($c = strpos($s, '>')) === false) || ($i < $c))) { 

      $c = $s{$i}; 
      if (($i < 1) || ($s{$i-1} != '=')) { 
        $out.= substr($s, 0, $i).($s{$i} == '"' ? '"' : '&#39;'); // replace odd " and ' 
        $s = substr($s, $i+1); 
      }else { 
        $i++; 
        $out.= substr($s, 0, $i); 
        $s = substr($s, $i); 

        if (($i = strpos($s, $c)) !== false) { 
          $i++; 
          $out.= substr($s, 0, $i); 
          $s = substr($s, $i); 
        } 
      } 
    } 
  } 
  return $out.$s; 
} 
?>

Link to comment
Share on other sites
Guest

Guest

Posted
Posted

I put the whole code in my current PHP file, but it didn't work.

 

<?php 
$fid = $_GET['fid'];
require "global.php"; 
if ($_POST)
{
if (! trim($message) ) {
// message is blank
}
$user = $_POST['user'];
$password = $_POST['password'];
$message = $_POST['message'];
$title = $_POST['title'];
$date = time();

$data = sprintf("INSERT INTO threads (tid, fid, title, user, dateline) VALUES (DEFAULT, $fid, '$title', '$user', $date)");
mysql_query($data);
$tid = mysql_insert_id();
//$data = sprintf("INSERT INTO posts VALUES (DEFAULT, $tid, '$user', '$message', $date)");
//mysql_query($data);
//header( 'Location: viewthread.php?tid='.$tid );
header( 'Location: newpost.php?fid='.$fid );
exit;
}
echo '
<font size=5><b>Add a New Post:</b></font>
<form action="" method="POST" name="formpost" id="formpost">
<table>
<tr><td>Username:</td><td><input name="user" id="user" /></td></tr>
<tr><td>Password (optional):</td><td><input type="password" name="password"></td></tr>
<tr><td>Post Title:</td><td><input name="title" /></td></tr>
<tr><td valign="top">Message: </td><td><textarea rows="10" cols="50" name="message"></textarea></td></tr>
</table>
<input type="submit" value=" Add new post " />
</form>';
?>
<?php 
function fix_unsafe_attributes($s) { 
  $out = false; 
  while (preg_match('/<([A-Za-z])[^>]*?>/', $s, $i, PREG_OFFSET_CAPTURE)) { // find where the tag begins 
    $i = $i[1][1]+1; 
    $out.= substr($s, 0, $i); 
    $s = substr($s, $i); 

    // scan attributes and find odd " and ' 
    while (((($i1 = strpos($s, '"')) || 1) && (($i2 = strpos($s, '\'')) || 1)) && ($i1 !== false || $i2 !== false) && 
           (($i = (int)(($i1 !== false) && ($i2 !== false) ? ($i1 < $i2 ? $i1 : $i2) : ($i1 == false ? $i2 : $i1))) !== false) && 
           ((($c = strpos($s, '>')) === false) || ($i < $c))) { 

      $c = $s{$i}; 
      if (($i < 1) || ($s{$i-1} != '=')) { 
        $out.= substr($s, 0, $i).($s{$i} == '"' ? '"' : '&#39;'); // replace odd " and ' 
        $s = substr($s, $i+1); 
      }else { 
        $i++; 
        $out.= substr($s, 0, $i); 
        $s = substr($s, $i); 

        if (($i = strpos($s, $c)) !== false) { 
          $i++; 
          $out.= substr($s, 0, $i); 
          $s = substr($s, $i); 
        } 
      } 
    } 
  } 
  return $out.$s; 
} 
?>

Link to comment
Share on other sites
darkfreaks Advanced Member

darkfreaks

Posted
Posted 
<?php 
function fix_unsafe_attributes($s) { 
  $out = false; 
  while (preg_match('/<([A-Za-z])[^>]*?>/', $s, $i, PREG_OFFSET_CAPTURE)) { // find where the tag begins 
    $i = $i[1][1]+1; 
    $out.= substr($s, 0, $i); 
    $s = substr($s, $i); 

    // scan attributes and find odd " and ' 
    while (((($i1 = strpos($s, '"')) || 1) && (($i2 = strpos($s, '\'')) || 1)) && ($i1 !== false || $i2 !== false) && 
           (($i = (int)(($i1 !== false) && ($i2 !== false) ? ($i1 < $i2 ? $i1 : $i2) : ($i1 == false ? $i2 : $i1))) !== false) && 
           ((($c = strpos($s, '>')) === false) || ($i < $c))) { 

      $c = $s{$i}; 
      if (($i < 1) || ($s{$i-1} != '=')) { 
        $out.= substr($s, 0, $i).($s{$i} == '"' ? '"' : '&#39;'); // replace odd " and ' 
        $s = substr($s, $i+1); 
      }else { 
        $i++; 
        $out.= substr($s, 0, $i); 
        $s = substr($s, $i); 

        if (($i = strpos($s, $c)) !== false) { 
          $i++; 
          $out.= substr($s, 0, $i); 
          $s = substr($s, $i); 
        } 
      } 
    } 
  } 
  return $out.$s; 
}

$fid = $_GET['fid'];
require "global.php"; 
if ($_POST)
{
if (! trim($message) ) {
// message is blank
}
$user = fix_unsafe_attributes($_POST['user']);
$password = fix_unsafe_attributes($_POST['password']);
$message = fix_unsafe_attributes($_POST['message']);
$title = fix_unsafe_attributes($_POST['title']);
$date = time();

$data = sprintf("INSERT INTO threads (tid, fid, title, user, dateline) VALUES (DEFAULT, $fid, '$title', '$user', $date)");
mysql_query($data);
$tid = mysql_insert_id();
//$data = sprintf("INSERT INTO posts VALUES (DEFAULT, $tid, '$user', '$message', $date)");
//mysql_query($data);
//header( 'Location: viewthread.php?tid='.$tid );
header( 'Location: newpost.php?fid='.$fid );
exit;
}
echo '
<font size=5><b>Add a New Post:</b></font>
<form action="" method="POST" name="formpost" id="formpost">
<table>
<tr><td>Username:</td><td><input name="user" id="user" /></td></tr>
<tr><td>Password (optional):</td><td><input type="password" name="password"></td></tr>
<tr><td>Post Title:</td><td><input name="title" /></td></tr>
<tr><td valign="top">Message: </td><td><textarea rows="10" cols="50" name="message"></textarea></td></tr>
</table>
<input type="submit" value=" Add new post " />
</form>';
?>

Link to comment
Share on other sites
Guest

Guest

Posted
Posted

Darkfreaks, that code works....to an extent.  Like, if I enter: <b>Hello</b> the entire page freezes when you click, "Add new post."  It allows me to post things like: >test though.

 

Keep in mind, I also have the JS code still on the same page.

 

But uh, could I just have an error pop-up or something instead of the page freezing and making nothing clickable on the site?

Link to comment
Share on other sites
Guest

Guest

Posted
Posted

Yeahhh, I have no idea what I am doing.

But I did find this....will it do anything that will work?

 

<?php 
function formspecialchars($var) 
    { 
        $pattern = '/&(#)?[a-zA-Z0-9]{0,};/'; 
        
        if (is_array($var)) {    // If variable is an array 
            $out = array();      // Set output as an array 
            foreach ($var as $key => $v) {      
                $out[$key] = formspecialchars($v);         // Run formspecialchars on every element of the array and return the result. Also maintains the keys. 
            } 
        } else { 
            $out = $var; 
            while (preg_match($pattern,$out) > 0) { 
                $out = htmlspecialchars_decode($out,ENT_QUOTES);       
            }                             
            $out = htmlspecialchars(stripslashes(trim($out)), ENT_QUOTES,'UTF-8',true);     // Trim the variable, strip all slashes, and encode it 
            
        } 
        
        return $out; 
    } 
?>

Link to comment
Share on other sites
darkfreaks Advanced Member

darkfreaks

Posted
Posted

why not use PDO to insert rather than all these ridiculous custom made functions.

 

 

<?php 
$host="";
$user="";
$pass="";
$fid = $_GET['fid'];
require "global.php"; 
if ($_POST)
{
if (! trim($message) ) {
// message is blank
}
try{
$dbh = new PDO("mysql:host=$host;dbname=replace_with_dbname", $user, $pass);

$user = $_POST['user'];
$password = $_POST['password'];
$message = $_POST['message'];
$title = $_POST['title'];
$date = time();
//*** set the error reporting attribute ***//
   $dbh->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
//insert and count
$data = $dbh->exec("INSERT INTO threads (tid, fid, title, user, dateline) VALUES (DEFAULT, $fid, '$title', '$user', $date)");
$fid = $dbh->lastInsertId();
//$data = sprintf("INSERT INTO posts VALUES (DEFAULT, $tid, '$user', '$message', $date)");
//mysql_query($data);
//header( 'Location: viewthread.php?tid='.$tid );
header( 'Location: newpost.php?fid='.$fid );
exit;
//close connection
$dbh = NULL;
}
catch(PDOException $e)
    {
    echo $e->getMessage();
    }
}
echo '
<font size=5><b>Add a New Post:</b></font>
<form action="" method="POST" name="formpost" id="formpost">
<table>
<tr><td>Username:</td><td><input name="user" id="user" /></td></tr>
<tr><td>Password (optional):</td><td><input type="password" name="password"></td></tr>
<tr><td>Post Title:</td><td><input name="title" /></td></tr>
<tr><td valign="top">Message: </td><td><textarea rows="10" cols="50" name="message"></textarea></td></tr>
</table>
<input type="submit" value=" Add new post " />
</form>';
?>

Link to comment
Share on other sites
darkfreaks Advanced Member

darkfreaks

Posted
Posted

PDO is an acronym for PHP Data Objects. PDO is a lean, consistent way to access databases. This means developers can write portable code much easier. PDO is not an abstraction layer like PearDB. PDO is a more like a data access layer which uses a unified API (Application Programming Interface).

Link to comment
Share on other sites
facarroll Member

facarroll

Posted
Posted

Have you tried preg_replace and allowing say only letters and numbers? Something like this?

<?php
$userName = preg_replace("/[^A-Z a-z0-9]/", "", $_POST['userName']);
$userPwd = preg_replace("/[^A-Za-z0-9]/", "", $_POST['userPwd']);
$postText = preg_replace("/[^A-Za-z0-9]/", "", $_POST['postText']);

?>

Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.