phpnoob Posted July 8, 2010 Share Posted July 8, 2010 Right now i build a good forum, and i don't know what php tags is good for html and another tags for removeingstr_replace or preg_replaceplz help me. Link to comment Share on other sites More sharing options...
thescientist Posted July 8, 2010 Share Posted July 8, 2010 php doesn't have tags. I'm actually not quite sure what you're asking for. Link to comment Share on other sites More sharing options...
phpnoob Posted July 8, 2010 Author Share Posted July 8, 2010 you know, HTML Tags <img> <html> etc, i want to remove all HTML Tags on Post Link to comment Share on other sites More sharing options...
thescientist Posted July 8, 2010 Share Posted July 8, 2010 http://php.net/manual/en/function.htmlentities.phpbut to completely remove them, you'll probably have to use some sort of regex. Link to comment Share on other sites More sharing options...
phpnoob Posted July 8, 2010 Author Share Posted July 8, 2010 how about strip_tags?see it have lots of way to secure the post for html tags, but i cant choice what is the best Link to comment Share on other sites More sharing options...
Synook Posted July 9, 2010 Share Posted July 9, 2010 strip_tags() is the most reliable way to actually remove the tags, however, if you just want to sanitize the text for HTML output then it is better to turn the sensitive characters into entities, using htmlspecialchars(). Otherwise, no-one would be able to post code they want to display. Link to comment Share on other sites More sharing options...
phpnoob Posted July 9, 2010 Author Share Posted July 9, 2010 I useing a charset=iso-8859-2 because of hungarian char like áéóöőúüá char + i want to see japanish charset to.Plz help me htmlspecialchars and htmlentities not good for japanish char 猫i see, it have a solution great Link to comment Share on other sites More sharing options...
Gex Posted July 9, 2010 Share Posted July 9, 2010 Actually on this subject couldn't you just use like BBCODE and remove the HTML with the FILTER Functions. And use Preg to replace bb chars to html chars? Link to comment Share on other sites More sharing options...
phpnoob Posted July 9, 2010 Author Share Posted July 9, 2010 Actually on this subject couldn't you just use like BBCODE and remove the HTML with the FILTER Functions. And use Preg to replace bb chars to html chars?you mean replace the <> sign for (<) and (>)? Link to comment Share on other sites More sharing options...
Gex Posted July 9, 2010 Share Posted July 9, 2010 you mean replace the <> sign for (<) and (>)?No I mean like preg_replace(BBCODE,HTMLCODE); You basically place some tags whihc you want the user to use instead of html, and then you put the html which it represents. You coukd use str_replace but I find preg_replace alot better. Link to comment Share on other sites More sharing options...
thescientist Posted July 10, 2010 Share Posted July 10, 2010 No I mean like preg_replace(BBCODE,HTMLCODE); You basically place some tags whihc you want the user to use instead of html, and then you put the html which it represents. You coukd use str_replace but I find preg_replace alot better.but he just wants them removed. like gone, removed, not replaced with anything.....or doesn't he? I'm not sure at this point. Link to comment Share on other sites More sharing options...
phpnoob Posted July 10, 2010 Author Share Posted July 10, 2010 but he just wants them removed. like gone, removed, not replaced with anything.....or doesn't he? I'm not sure at this point.i just searching the best forum secure for attacks, remove or replace etc, i just want the best secure for attack Link to comment Share on other sites More sharing options...
Synook Posted July 10, 2010 Share Posted July 10, 2010 Then htmlspecialchars() is the best, because it will completely sanitize HTML input without stripping the tags. Link to comment Share on other sites More sharing options...
phpnoob Posted July 11, 2010 Author Share Posted July 11, 2010 Then htmlspecialchars() is the best, because it will completely sanitize HTML input without stripping the tags.perhaps read this postIf i useing htmlspecialchars, the japanish chars not good Link to comment Share on other sites More sharing options...
HungryMind Posted July 11, 2010 Share Posted July 11, 2010 Hi!Try htmlentities();Code:<?php// Run This CODE, Then Goto View Source And Then View It's Out Code.// Because htmlentities() Just Works On HTML TAGS, Whatever U Write Content Under HTML Tags In Any Language, It'll Not Disturb.// Now It's Totally Secure For Database.print htmlentities("<html><body><input type='text'></body></html>");output: <html><body><input type='text'></body></html>view source: <html><body><input type='text'></body></html>?> Link to comment Share on other sites More sharing options...
Synook Posted July 11, 2010 Share Posted July 11, 2010 If i useing htmlspecialchars, the japanish chars not goodI don't think the Japanese character issue has anything to do with sanitizing the input. Have you tried using a Unicode character set like UTF-8, instead of iso-8859-2? Only if you were using a non-Unicode Japanese encoding like Shift_JIS or EUC-JP would you need to define the character set in the third argument.P.S. htmlspecialchars() is usually more appropriate than htmlentites(), as the latter encodes some unnecessary characters. Link to comment Share on other sites More sharing options...
Gex Posted July 11, 2010 Share Posted July 11, 2010 I don't think the Japanese character issue has anything to do with sanitizing the input. Have you tried using a Unicode character set like UTF-8, instead of iso-8859-2? Only if you were using a non-Unicode Japanese encoding like Shift_JIS or EUC-JP would you need to define the character set in the third argument.P.S. htmlspecialchars() is usually more appropriate than htmlentites(), as the latter encodes some unnecessary characters.While onto this subject, wouldn't in in general be safer to filter and block HTML and then replace that with BBCODE which in turn will be placed into the DB rather than the raw html? I am just curious on this subject, as I have heard many counter arguments regarding the html() functions. Link to comment Share on other sites More sharing options...
Synook Posted July 11, 2010 Share Posted July 11, 2010 I don't think he's trying to make a XSS-safe markup variant, but rather to allow people to enter HTML safely. For example, below, I write some HTML, perhaps for the information of the readers of this post: <p>Some HTML</p> Now, how can I get that, so it is displayed (and thus be read by people), but not parsed? The solution is to turn the syntactically relevant characters into entities, using htmlspecialchars().However, if I did want to create some sort of markup-style formatting system, yes, it is better to use a contrived system such as BBCode, rather than attempt to implement a restricted subset of HTML. Link to comment Share on other sites More sharing options...
End User Posted July 11, 2010 Share Posted July 11, 2010 // Now It's Totally Secure For Database.This is, unfortunately, not true. Link to comment Share on other sites More sharing options...
HungryMind Posted July 12, 2010 Share Posted July 12, 2010 This is, unfortunately, not true.Yeah May Be It's True.Thnx 4 Guide Me Too.I've Just 3 Months Experience In PHP.Im Getting My Words Back.// Now It's Good For Database But Not 100% Secured Link to comment Share on other sites More sharing options...
boen_robot Posted July 12, 2010 Share Posted July 12, 2010 // Now It's Good For Database But Not 100% Secured Even that is not correct. htmlspecialchars() or htmlentities() have no relation with databases. mysql_real_escape_string() is the function you need to use to escape special characters in a MySQL DB context. htmlspecialchars() and/or htmlentities() are only useful in HTML outputting context (where the content is not actually outputted as HTML, but as text in HTML). Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.