Function Retun excluding some things i want to keep.

[Cabbit]

<?php
function form_title_validate($value) 
// Function for text field validation // 
{ 
    // First stage is to convert the string to html specialchars for php to stop injection. // 
    $value = htmlspecialchars($value, ENT_QUOTES, "UTF-8"); 
    // Strip tags // 
    $value = strip_tags($value); 

	// Trimming excess space from the value. // 
	if(!$value || strlen($value = trim($value)) == 0)
	{
		// If the value is empty. //
		$error = "The title field is empty.";
    }
    else
	{ 
		/* Checking to make sure the value makes sense.
			a valid input would be "Hello"
			invalid inputs. ".", "...", "    /"
		*/
   		if (preg_match('/[\w]{1,}/', $value)) 
    	{ 
			// Checking if the value is a number. //
        	if (is_numeric($value)) 
        	{ 
           	 	// Sets the is numeric error. // 
				$error = "The title field is numeric it must be alpha-numeric.";
        	}
			// The value is not a number so lets proceed. //
        	else  
       	 	{ 
				// Now making sure the string is not to short to avoid laziness //
				if (strlen($value) < 5)
				{
					// Sets the error as to short. //
					$error = "The title field is to short, It must be greater than 5 characters.";
				}
				else if (strlen($value) > 60)
				{
					// Sets the error as to short. //
					$error = "The title field is to long, It must be less than 60 characters.";
				}
				else
				{
            		// The validated value is returned to the browser. // 
            		$valid_value = $value; 
				}
        	}
    	} 
		else
		{
     	// Return a error for invalid input. // 
			$error = "The title field makes no sense."; 
    	}
	} 
	$return_vals["error"] = $error;
	$return_vals["validated_output"] = $valid_value;
	return $return_vals;
}

function form_body_validate($value) 
// Function for text field validation // 
{ 
    // First stage is to convert the string to html specialchars for php to stop injection. // 
    $value = htmlspecialchars($value, ENT_QUOTES, "UTF-8"); 
    // Strip tags // 
    $value = strip_tags($value); 

	// Trimming excess space from the value. // 
	if(!$value || strlen($value = trim($value)) == 0)
	{
		// If the value is empty. //
		$error = "The body of this post is empty.";
    }
    else
	{ 
		/* Checking to make sure the value makes sense.
			a valid input would be "Hello"
			invalid inputs. ".", "...", "    /"
		*/
   		if (preg_match('/[\w]{1,}/', $value)) 
    	{ 
			// Checking if the value is a number. //
        	if (is_numeric($value)) 
        	{ 
           	 	// Sets the is numeric error. // 
				$error = "The body of your post is numeric, It must be alpha-numeric.";
        	}
			// The value is not a number so lets proceed. //
        	else  
       	 	{ 
				// Now making sure the string is not to short to avoid laziness //
				if (strlen($value) < 5)
				{
					// Sets the error as to short. //
					$error = "The body of your post is to short, It must be greater than 5 characters.";
				}
				else if (strlen($value) > 12500)
				{
					// Sets the error as to short. //
					$error = "The body of your post is too long, It must be less than 12500 characters.";
				}
				else
				{
            		// The validated value is returned to the browser. // 
            		$valid_value = $value; 
				}
        	}
    	} 
		else
		{
     	// Return a error for invalid input. // 
			$error = "The body makes no sence."; 
    	}
	} 
	$return_vals["error"] = $error;
	$return_vals["validated_output"] = $valid_value;
	return $return_vals;
}

?>

<html>
	<head>
		<title>Text Validation</title>
		<style type="text/css">
			body {
				background-color: #ffffff;
				color: #333;
				font-family: Geneva,Arial,Helvetica,sans-serif;
			}
			h1 {
				line-height: 1.6em;
				font-size: 1.6em;
				margin: 0em 0em 0em 0em;
				padding: 0em 0em 0em 0em;
			}
			h2 {
				line-height: 1.2em;
				font-size: 1.2em;
				margin: 0em 0em 0em 0em;
				padding: 0em 0em 0em 0em;
			}
			label {
				display: inline;
				font-size: 0.8em;
				margin: 2px;
			}
			p {
				font-size: 1em;
				line-height: 1.2em;
				padding: 0em 0em 0em 0em;
				margin: .2em 0 .6em 0;
			}
			ul {
				font-size: 0.8em;
				color: #ff4444;
		 		margin: 0; padding: 0;
 				list-style: none;
			}
		</style>
	</head>
<body>
<?php
if (!isset($_GET['validate']))
{
	// Title //
	echo '<h1>Input form</h1>';
	
	// Form //
	echo '<form name="input_validation" action="text_validation.php?validate" method="post">';
	
	// Title //
	echo '<p><label for="title">Title:</label><input type="text" name="title"></p>';
	
	// Body //
	echo '<p><label for="body">Body:</label><br /><textarea name="body" cols="40" rows="5"></textarea></p>';
	
	// Submit //
	echo '<input type="submit" value="submit">';
	
	// End form //
	echo '</form>';
}
if (isset($_GET['validate']))
{
	// Title //
	echo '<h1>Output</h1>';
	
	// errors //
	
	// Begin unordered list //
	echo '<ul>';
		
	// Returns the form errors //
	
	// title //
	$error_validate = form_title_validate($_POST['title']);
	if (isset($error_validate))
	{
		echo '<li>'.$error_validate['error'].'</li>';
	}
	
	// Body //
	$error_validate = form_body_validate($_POST['body']);
	if (isset($error_validate))
	{
		echo '<li>'.$error_validate['error'].'</li>';
	}
	
	// End of unordered list //
	echo '</ul>';
	// end errors //
	
	// Getting the title's value back //
	$title = form_title_validate($_POST['title']);
	echo '<h3>'.stripslashes($title['validated_output']).'</h3>';
	
	// Getting the title's value back //
	$body = form_body_validate($_POST['body']);
	echo '<p>'.stripslashes($body['validated_output']).'</p>';
	
	// back button //
	echo '<a href="text_validation.php">Back</a>';
}
?>
</body>
</html>

For the body function i would like it to keep some of the HTML coding such as <p> and <h1> yet exclude other coding such as <script> is there a easy way for me to implement this into the forum_body_validate function.

 

[angelwatt]

See the documentation for strip_tags as there is a second argument you can use to list exceptions when stripping out tags. I believe this is what you're after.

 

[Cabbit]

See the documentation for strip_tags as there is a second argument you can use to list exceptions when stripping out tags. I believe this is what you're after.

thanks, but is that what is making it replace the tag <p> with <p> ?

 

[angelwatt]

thanks, but is that what is making it replace the tag <p> with <p> ?

Ah, no, the function htmlspecialchars is what is doing that. You can try to use the htmlspecialchars function after you do a strip tags call. Then if you need the < and > back in place you can do a search and replace on the string.

$value = strip_tags($value, '<p><h1>');
$value = htmlspecialchars($value, ENT_QUOTES, "UTF-8"); 
$value = preg_replace('/<([^(>)]+)>/m', '<$1>' $value);

Just a note I haven't test the above replace code.

 

[Cabbit]

Ah, no, the function htmlspecialchars is what is doing that. You can try to use the htmlspecialchars function after you do a strip tags call. Then if you need the < and > back in place you can do a search and replace on the string.

$value = strip_tags($value, '<p><h1>');
$value = htmlspecialchars($value, ENT_QUOTES, "UTF-8"); 
$value = preg_replace('/<([^(>)]+)>/', '<$1>' $value);

Just a note I haven't test the above replace code.

Hey thanks it works great. Any idea how secure this code will be for preventing SQL injection?
My learning of functions is aimed at really bettering my understanding of coding to make coding much easier for myself, next on my list is classes.

 

[angelwatt]

Hey thanks it works great. Any idea how secure this code will be for preventing SQL injection?
My learning of functions is aimed at really bettering my understanding of coding to make coding much easier for myself, next on my list is classes.

-deleting chunk-

As far as blocking SQL injections, I don't use databases much, but my current block is done by,

$regInject = "/bcc:|cc:|multipart|\[url|\[link|Content-Type:/i";
if (preg_match($regInject,implode($_POST))) { ...}
// and for pulling items out of $_POST or the like
$name = stripslashes(strip_tags($_POST['name']));

but that was for a feedback form where I was trying to stop email hijacking. The mysql_real_escape_string function is one to look at though.

Some reading:
http://blog.phpkemist.com/2007/07/1...-using-php-programming-and-mysql-programming/
http://www.tizag.com/mysqlTutorial/mysql-php-sql-injection.php

 

[Cabbit]

I have been working on it a little more and its starting to shape up to do a lot of stuff that i have been wanting it to do. But i am having a problem when it gets something like <p style="text-align: center; "> with it not treating that the same as a <p> tag. I have tried a few things out but am not getting anywhere with it.

function form_body_validate($value) 
// Function for text field validation // 
{ 
	// Removing the leading space that is annoying. //
	$value = preg_replace('/ /i', '', $value);

	// Sets the allowed taggs //
        $value = strip_tags($value, '<p><h1><h2><h3><img><p style="text-align: center; ">');
	
	// Does the htmlspecialchars bit //
	$value = htmlspecialchars($value, ENT_QUOTES, "UTF-8"); 
	
	// Returns the < > instead of the special html bits. //
	$value = preg_replace('/<([^(>)]+)>/', '<$1>', $value);
	
	// Trimming excess space from the value. // 
	if(!$value || strlen($value = trim($value)) == 0)
	{
		// If the value is empty. //
		$error = "The body of this post is empty.";
    }
    else
	{ 
		/* Checking to make sure the value makes sense.
			a valid input would be "Hello"
			invalid inputs. ".", "...", "    /"
		*/
   		if (preg_match('/[\w]{1,}/', $value)) 
    	{ 
			// Checking if the value is a number. //
        	if (is_numeric($value)) 
        	{ 
           	 	// Sets the is numeric error. // 
				$error = "The body of your post is numeric, It must be alpha-numeric.";
        	}
			// The value is not a number so lets proceed. //
        	else  
       	 	{ 
				// Now making sure the string is not to short to avoid laziness //
				if (strlen($value) < 5)
				{
					// Sets the error as to short. //
					$error = "The body of your post is to short, It must be greater than 5 characters.";
				}
				else if (strlen($value) > 12500)
				{
					// Sets the error as to short. //
					$error = "The body of your post is too long, It must be less than 12500 characters.";
				}
				else
				{
            		// The validated value is returned to the browser. // 
            		$valid_value = $value; 
				}
        	}
    	} 
		else
		{
     	// Return a error for invalid input. // 
			$error = "The body makes no sence."; 
    	}
	} 
	$return_vals["error"] = $error;
	$return_vals["validated_output"] = $valid_value;
	return $return_vals;
}

 

[angelwatt]

Well, when pre-built functions got you down, devise your own. Actually we can do this with Regexp, but I suppose you could turn it into a function too.

// Replace
$value = strip_tags($value, '<p><h1><h2><h3><img><p style="text-align: center; ">');
// with
$value = preg_replace('/<\/?(?:\b(?!(p\b)|(h[1-3])|(img))[^>]+?)>/i', '', $value);

I tested the above with the following text

$str = <<<EOF
<h1>Heading</h1>
<p>A <strong>paragraph</strong></p>
<p style="text-align: center; ">Another
<img src="image.jpg" alt="" /> paragraph.</p>

EOF;

and it worked as expected, stripping the strong tag and leaving everything else. You can test the regexp on my regular expression testing tool (ah, shameless plug). As a note, the (p\b) part of the regexp above keeps it from matching the pre, param, and samp (and some others) tags.

 

[Cabbit]

http://abcomforts.com/test/text_validation.php

This is a link to the actual script in motion. ^_^ what i am trying to do is make it so only the fields i have specified in fckeditor are allowed. So far smilies, img and font indent does not work and i don't think that centering and stuff works ether.

<?php
function form_title_validate($value) 
// Function for text field validation // 
{ 
    // First stage is to convert the string to html specialchars for php to stop injection. // 
    $value = htmlspecialchars($value, ENT_QUOTES, "UTF-8"); 
    // Strip tags // 
    $value = strip_tags($value); 

	// Trimming excess space from the value. // 
	if(!$value || strlen($value = trim($value)) == 0)
	{
		// If the value is empty. //
		$error = "The title field is empty.";
    }
    else
	{ 
		/* Checking to make sure the value makes sense.
			a valid input would be "Hello"
			invalid inputs. ".", "...", "    /"
		*/
   		if (preg_match('/[\w]{1,}/', $value)) 
    	{ 
			// Checking if the value is a number. //
        	if (is_numeric($value)) 
        	{ 
           	 	// Sets the is numeric error. // 
				$error = "The title field is numeric it must be alpha-numeric.";
        	}
			// The value is not a number so lets proceed. //
        	else  
       	 	{ 
				// Now making sure the string is not to short to avoid laziness //
				if (strlen($value) < 5)
				{
					// Sets the error as to short. //
					$error = "The title field is to short, It must be greater than 5 characters.";
				}
				else if (strlen($value) > 60)
				{
					// Sets the error as to short. //
					$error = "The title field is to long, It must be less than 60 characters.";
				}
				else
				{
            		// The validated value is returned to the browser. // 
            		$valid_value = $value; 
				}
        	}
    	} 
		else
		{
     	// Return a error for invalid input. // 
			$error = "The title field makes no sense."; 
    	}
	} 
	$return_vals["error"] = $error;
	$return_vals["validated_output"] = $valid_value;
	return $return_vals;
}

function form_body_validate($value) 
// Function for text field validation // 
{ 
	// Removing the leading space that is annoying. //
	$value = preg_replace('/ /i', '', $value);

	// Sets the allowed taggs //
	$value = preg_replace('/<\/?(?:\b(?!(p\b)|(h[1-3])|(img))[^>]+?)>/i', '', $value);  
	
	// Does the htmlspecialchars bit //
	$value = htmlspecialchars($value, ENT_QUOTES, "UTF-8"); 
	
	// Returns the < > instead of the special html bits. //
	$value = preg_replace('/<([^(>)]+)>/', '<$1>', $value);
	
	// Trimming excess space from the value. // 
	if(!$value || strlen($value = trim($value)) == 0)
	{
		// If the value is empty. //
		$error = "The body of this post is empty.";
    }
    else
	{ 
		/* Checking to make sure the value makes sense.
			a valid input would be "Hello"
			invalid inputs. ".", "...", "    /"
		*/
   		if (preg_match('/[\w]{1,}/', $value)) 
    	{ 
			// Checking if the value is a number. //
        	if (is_numeric($value)) 
        	{ 
           	 	// Sets the is numeric error. // 
				$error = "The body of your post is numeric, It must be alpha-numeric.";
        	}
			// The value is not a number so lets proceed. //
        	else  
       	 	{ 
				// Now making sure the string is not to short to avoid laziness //
				if (strlen($value) < 12)
				{
					// Sets the error as to short. //
					$error = "The body of your post is to short, It must be greater than 5 characters.";
				}
				else if (strlen($value) > 12500)
				{
					// Sets the error as to short. //
					$error = "The body of your post is too long, It must be less than 12500 characters.";
				}
				else
				{
            		// The validated value is returned to the browser. // 
            		$valid_value = $value; 
				}
        	}
    	} 
		else
		{
     	// Return a error for invalid input. // 
			$error = "The body makes no sence."; 
    	}
	}
	
	// Returning the values as an array. //
	
	// Set the error message. //
	$return_vals["error"] = $error;
	
	// Set the vailid output. //
	$return_vals["validated_output"] = $valid_value;
	
	// Return the array. //
	return $return_vals;
	
	// End function. //
}
?>

<html>
	<head>
		<title>Text Validation</title>
		<style type="text/css">
			body {
				background-color: #ffffff;
				color: #333;
				font-family: Geneva,Arial,Helvetica,sans-serif;
			}
			h1 {
				line-height: 1.6em;
				font-size: 1.6em;
				margin: 0em 0em 0em 0em;
				padding: 0em 0em 0em 0em;
			}
			h2 {
				line-height: 1.2em;
				font-size: 1.2em;
				margin: 0em 0em 0em 0em;
				padding: 0em 0em 0em 0em;
			}
			h4 {
				line-height: 1.2em;
				font-size: 1.2em;
				margin: 0em 0em 0em 0em;
				padding: 0em 0em 0em 0em;
			}
			label {
				display: inline;
				font-size: 0.8em;
				margin: 2px;
			}
			p {
				font-size: 1em;
				line-height: 1.2em;
				padding: 0em 0em 0em 0em;
				margin: .2em 0 .6em 0;
			}
			ul {
				font-size: 0.8em;
				color: #ff4444;
		 		margin: 0; padding: 0;
 				list-style: none;
			}
		</style>
	</head>
<body>
<?php
if (!isset($_GET['validate']))
{
	// Title //
	echo '<h1>Input form</h1>';
	
	// Form //
	echo '<form name="input_validation" action="text_validation.php?validate" method="post">';
	
	// Title //
	echo '<p><label for="title">Title:</label><input type="text" name="title"></p>';
	
	// Body //
	echo '<p>Body:</label><br />';
		include("../editor/fckeditor.php");
		$oFCKeditor->BasePath = '../editor/' ;	// '/fckeditor/' is the default value
		$sBasePath = '../editor/' ;
		$oFCKeditor = new FCKeditor('body') ;
		$oFCKeditor->BasePath	= $sBasePath ;
		$oFCKeditor->Value		= '' ;
		$oFCKeditor->Create();
	
	// Submit //
	echo '<input type="submit" value="submit">';
	
	// End form //
	echo '</form>';
}
if (isset($_GET['validate']))
{
	// Title //
	echo '<h1>Output</h1>';
	
	// errors //
	
	// Begin unordered list //
	echo '<ul>';
		
	// Returns the form errors //
	
	// title //
	$error_validate = form_title_validate($_POST['title']);
	if (isset($error_validate))
	{
		echo '<li>'.$error_validate['error'].'</li>';
	}
	
	// Body //
	$error_validate = form_body_validate($_POST['body']);
	if (isset($error_validate))
	{
		echo '<li>'.$error_validate['error'].'</li>';
	}
	
	// End of unordered list //
	echo '</ul>';
	// end errors //
	
	// original inputs //
	
	echo '<h2>The original inputs</h2>';
	echo stripslashes($_POST['body']);
	
	
	// Getting the title's value back //
	$title = form_title_validate($_POST['title']);
	echo '<h3>'.stripslashes($title['validated_output']).'</h3>';
	
	// Getting the title's value back //
	$body = form_body_validate($_POST['body']);
	echo ''.stripslashes($body['validated_output']).'';
	
	// back button //
	echo '<br /><a href="text_validation.php">Back</a>';
}
?>
</body>
</html>

 

[angelwatt]

http://abcomforts.com/test/text_validation.php

This is a link to the actual script in motion. ^_^ what i am trying to do is make it so only the fields i have specified in fckeditor are allowed. So far smilies, img and font indent does not work and i don't think that centering and stuff works ether.

I'm not quite following. How are things working and not working (specifically)? I've never used FCKEditor so not sure how you specified what fields were allowed and such. You have a lot of code there, so specifics of where you're needing help will go a long ways of helping us help you.

When I tried the page it seemed to do what I believe you wanted it to do, so that's what's kind of confusing me.

 

[memco]

It looked to me like your two validate functions were identical. In that case, you could just have the function validate() and pass both the title and body through it (even including optional params like what constitutes too long or short).

 

[SrWebDeveloper]

It looked to me like your two validate functions were identical. In that case, you could just have the function validate() and pass both the title and body through it (even including optional params like what constitutes too long or short).

Yes, I would do that also in the end - to streamline code and consolidate into one function, but the OP is concentrating on getting the validation to work right now.

FCKEditor is a freeware WYSIWYG editor for replacing textarea form field inputs in forms. It allows you to define what HTML tags users can use as buttons in the editor toolbar, as configured in fckconfig.js, and it limited. So writing a server side validation function using PHP's strip_tags is the way to go for HTML tags.

As to smilies, it's up to babyjenniferLB to define an array of all smilie sequences and include that in her validation to strip those, if they want the editor to allow smilies. It's a simple matter of including all smilies in a test post, view the source and get the sequences from there. The same is true for anything else non-HTML that must be stripped.

For example, if smilies are saved as text sequences:

$smilies_arr=array(":)",";)",":(");

If FCKEditor converts them to images then the IMG tag strip is sufficient, but if they want to remove ONLY smilie images then it'll take more code to scan each img tag found for certain keywords and then strip the tag, or maybe setup another array with the full img tag for each smilie.

Then do your preg_replace or whatever to strip.

-jim

 

[Cabbit]

I got smilies working now but i can't get anything that is a <p style> working.

 

[SrWebDeveloper]

I got smilies working now but i can't get anything that is a <p style> working.

Not following you. There is <P style="whatever CSS you want"> ?? and what do you mean by "working" ? Are you trying to strip P tags that contain the style attribute?

 

[Cabbit]

Not following you. There is <P style="whatever CSS you want"> ?? and what do you mean by "working" ? Are you trying to strip P tags that contain the style attribute?

http://abcomforts.com/test/text_validation.php

try it out, when i you put in text and center it on the validated page, one is correct and the other shows <p style="text-align: center; ">

 

[angelwatt]

http://abcomforts.com/test/text_validation.php

try it out, when i you put in text and center it on the validated page, one is correct and the other shows <p style="text-align: center; ">

Looks like it's from this line,

$value = preg_replace('/<([^(>)]+)>/', '<$1>', $value);

Try this one,

$value = preg_replace('/<(.*?)>/', '<$1>', $value);

I wonder who gave you that earlier code In fairness, I did say that line was untested, but this new one is.

 

[Cabbit]

Only thing not working now is " i tried just adding it. erm that don't work.
<p style="text-align: center; ">

Problem i see is how to get it to only have " inside a <p> :/

 

[angelwatt]

Only thing not working now is " i tried just adding it. erm that don't work.
<p style="text-align: center; ">

Problem i see is how to get it to only have " inside a <p> :/

Add this before or after the replace line we just edited.

$value = str_replace('"', '"', $value);

The htmlspecialchars function seems to be causing some extra code. You might want to consider getting rid of it, or finding alternatives.

 

[SrWebDeveloper]

There is no need to use htmlspecialchars prior to validation, that should be done after all processing is done when data is to be displayed as HTML or submitted into a DB or XML is involved. Similarly, if the FCKeditor is generating encoding output, i.e. """ for a double quote, then prior to validation I'd run html_entity_decode() on it if PHP4 or htmlspecialchars_decode() if PHP5 each with the ENT_QUOTES added as the second argument so single and double quotes are both converted, then encode (the reverse) always before output/DB/XML.

There is to say it's EASIER to validate decoded characters than having to account for all the encoded characters. Makes the code easier to write and understand. I didn't say required.

-jim

 

[Cabbit]

^_^ there thats everything working braw now i thinks. I suppose the only thing i would want to look at now is these pram things someone mentioned and some conditional logic for the $value = str_replace('"', '"', $value);
to only do the replace if it is part of a <p style but i wonder if that would be far to difficult to be worth it.

function form_body_validate($value) 
// Function for text field validation // 
{ 
	// Removing the leading space that is annoying. //
	$value = preg_replace('/ /i', '', $value);

	// Sets the allowed taggs //
	$value = preg_replace('/<\/?(?:\b(?!(p\b)|(h[4-6])|(img))[^>]+?)>/i', '', $value);  
	
	// Does the htmlspecialchars bit //
	$value = htmlspecialchars($value, ENT_QUOTES, "UTF-8"); 
	
	// Returns the < > instead of the special html bits. //
	$value = preg_replace('/<(.*?)>/', '<$1>', $value);  
	
	// Makes Quote marks //
	$value = str_replace('"', '"', $value); 
	
	// Trimming excess space from the value. // 
	if(!$value || strlen($value = trim($value)) == 0)
	{
		// If the value is empty. //
		$error = "The body of this post is empty.";
    }
    else
	{ 
		/* Checking to make sure the value makes sense.
			a valid input would be "Hello"
			invalid inputs. ".", "...", "    /"
		*/
   		if (preg_match('/[\w]{1,}/', $value)) 
    	{ 
			// Checking if the value is a number. //
        	if (is_numeric($value)) 
        	{ 
           	 	// Sets the is numeric error. // 
				$error = "The body of your post is numeric, It must be alpha-numeric.";
        	}
			// The value is not a number so lets proceed. //
        	else  
       	 	{ 
				// Now making sure the string is not to short to avoid laziness //
				if (strlen($value) < 12)
				{
					// Sets the error as to short. //
					$error = "The body of your post is to short, It must be greater than 5 characters.";
				}
				else if (strlen($value) > 12500)
				{
					// Sets the error as to short. //
					$error = "The body of your post is too long, It must be less than 12500 characters.";
				}
				else
				{
            		// The validated value is returned to the browser. // 
            		$valid_value = $value; 
				}
        	}
    	} 
		else
		{
     	// Return a error for invalid input. // 
			$error = "The body makes no sence."; 
    	}
	}
	
	// Returning the values as an array. //
	
	// Set the error message. //
	$return_vals["error"] = $error;
	
	// Set the vailid output. //
	$return_vals["validated_output"] = $valid_value;
	
	// Return the array. //
	return $return_vals;
	
	// End function. //
}

 

[angelwatt]

Looking at your code, of the lines below, only the first two are necessary. The last two are only there because of the third line. Looking through your other validation code, I don't think the htmlspecialchars function matters. The outcome will be the same because the code doesn't check anything that would be different after that function is called. Using just the two lines will remove your problems as well.

    // Removing the leading space that is annoying. //
    $value = preg_replace('/ /i', '', $value);
    // Sets the allowed taggs //
    $value = preg_replace('/<\/?(?:\b(?!(p\b)|(h[4-6])|(img))[^>]+?)>/i', '', $value);  
    // Does the htmlspecialchars bit //
    $value = htmlspecialchars($value, ENT_QUOTES, "UTF-8"); //delete
    // Returns the < > instead of the special html bits. //
    $value = preg_replace('/<(.*?)>/', '<$1>', $value);  //delete
    // Makes Quote marks //
    $value = str_replace('"', '"', $value); // delete

If you're putting the content into a DB, then you may want to use the mysql_real_escape_string function right before you place it in the DB, but may not need to be done here in these functions.

 

[Cabbit]

Was hoping this would be good for form validation and for when i post it to the database. Kinda like a jack of all trades.