Tags remove

[phpnoob]

Right now i build a good forum, and i don't know what php tags is good for html and another tags for removeingstr_replace or preg_replaceplz help me.

[thescientist]

php doesn't have tags. I'm actually not quite sure what you're asking for.

[phpnoob]

you know, HTML Tags <img> <html> etc, i want to remove all HTML Tags on Post

[thescientist]

http://php.net/manual/en/function.htmlentities.phpbut to completely remove them, you'll probably have to use some sort of regex.

[phpnoob]

how about strip_tags?see it have lots of way to secure the post for html tags, but i cant choice what is the best

[Synook]

strip_tags() is the most reliable way to actually remove the tags, however, if you just want to sanitize the text for HTML output then it is better to turn the sensitive characters into entities, using htmlspecialchars(). Otherwise, no-one would be able to post code they want to display.

[phpnoob]

I useing a charset=iso-8859-2 because of hungarian char like áéóöőúüá char + i want to see japanish charset to.Plz help me htmlspecialchars and htmlentities not good for japanish char 猫i see, it have a solution great

[Gex]

Actually on this subject couldn't you just use like BBCODE and remove the HTML with the FILTER Functions. And use Preg to replace bb chars to html chars?

[phpnoob]

Actually on this subject couldn't you just use like BBCODE and remove the HTML with the FILTER Functions. And use Preg to replace bb chars to html chars?

you mean replace the <> sign for (<) and (>)?

[Gex]

you mean replace the <> sign for (<) and (>)?

No I mean like preg_replace(BBCODE,HTMLCODE); You basically place some tags whihc you want the user to use instead of html, and then you put the html which it represents. You coukd use str_replace but I find preg_replace alot better.

[thescientist]

No I mean like preg_replace(BBCODE,HTMLCODE); You basically place some tags whihc you want the user to use instead of html, and then you put the html which it represents. You coukd use str_replace but I find preg_replace alot better.

but he just wants them removed. like gone, removed, not replaced with anything.....or doesn't he? I'm not sure at this point.

[phpnoob]

but he just wants them removed. like gone, removed, not replaced with anything.....or doesn't he? I'm not sure at this point.

i just searching the best forum secure for attacks, remove or replace etc, i just want the best secure for attack

[Synook]

Then htmlspecialchars() is the best, because it will completely sanitize HTML input without stripping the tags.

[phpnoob]

Then htmlspecialchars() is the best, because it will completely sanitize HTML input without stripping the tags.

perhaps read this postIf i useing htmlspecialchars, the japanish chars not good

[HungryMind]

Hi!Try htmlentities();Code:<?php// Run This CODE, Then Goto View Source And Then View It's Out Code.// Because htmlentities() Just Works On HTML TAGS, Whatever U Write Content Under HTML Tags In Any Language, It'll Not Disturb.// Now It's Totally Secure For Database.print htmlentities("<html><body><input type='text'></body></html>");output: <html><body><input type='text'></body></html>view source: <html><body><input type='text'></body></html>?>

[Synook]

If i useing htmlspecialchars, the japanish chars not good

I don't think the Japanese character issue has anything to do with sanitizing the input. Have you tried using a Unicode character set like UTF-8, instead of iso-8859-2? Only if you were using a non-Unicode Japanese encoding like Shift_JIS or EUC-JP would you need to define the character set in the third argument.P.S. htmlspecialchars() is usually more appropriate than htmlentites(), as the latter encodes some unnecessary characters.

[Gex]

I don't think the Japanese character issue has anything to do with sanitizing the input. Have you tried using a Unicode character set like UTF-8, instead of iso-8859-2? Only if you were using a non-Unicode Japanese encoding like Shift_JIS or EUC-JP would you need to define the character set in the third argument.P.S. htmlspecialchars() is usually more appropriate than htmlentites(), as the latter encodes some unnecessary characters.

While onto this subject, wouldn't in in general be safer to filter and block HTML and then replace that with BBCODE which in turn will be placed into the DB rather than the raw html? I am just curious on this subject, as I have heard many counter arguments regarding the html() functions.

[Synook]

I don't think he's trying to make a XSS-safe markup variant, but rather to allow people to enter HTML safely. For example, below, I write some HTML, perhaps for the information of the readers of this post:

<p>Some HTML</p>

Now, how can I get that, so it is displayed (and thus be read by people), but not parsed? The solution is to turn the syntactically relevant characters into entities, using htmlspecialchars().However, if I did want to create some sort of markup-style formatting system, yes, it is better to use a contrived system such as BBCode, rather than attempt to implement a restricted subset of HTML.

[End User]

// Now It's Totally Secure For Database.

This is, unfortunately, not true.

[HungryMind]

This is, unfortunately, not true.

Yeah May Be It's True.Thnx 4 Guide Me Too.I've Just 3 Months Experience In PHP.Im Getting My Words Back.// Now It's Good For Database But Not 100% Secured

[boen_robot]

// Now It's Good For Database But Not 100% Secured

Even that is not correct. htmlspecialchars() or htmlentities() have no relation with databases. mysql_real_escape_string() is the function you need to use to escape special characters in a MySQL DB context. htmlspecialchars() and/or htmlentities() are only useful in HTML outputting context (where the content is not actually outputted as HTML, but as text in HTML).