Function Retun excluding some things i want to keep.

Discussion in 'Web Design and Development' started by Cabbit, Dec 2, 2008.

  1. Cabbit macrumors 68020

    Cabbit

    Joined:
    Jan 30, 2006
    Location:
    Scotland
    #1
    PHP:
    <?php
    function form_title_validate($value
    // Function for text field validation // 

        
    // First stage is to convert the string to html specialchars for php to stop injection. // 
        
    $value htmlspecialchars($valueENT_QUOTES"UTF-8"); 
        
    // Strip tags // 
        
    $value strip_tags($value); 

        
    // Trimming excess space from the value. // 
        
    if(!$value || strlen($value trim($value)) == 0)
        {
            
    // If the value is empty. //
            
    $error "The title field is empty.";
        }
        else
        { 
            
    /* Checking to make sure the value makes sense.
                a valid input would be "Hello"
                invalid inputs. ".", "...", "    /"
            */
               
    if (preg_match('/[\w]{1,}/'$value)) 
            { 
                
    // Checking if the value is a number. //
                
    if (is_numeric($value)) 
                { 
                        
    // Sets the is numeric error. // 
                    
    $error "The title field is numeric it must be alpha-numeric.";
                }
                
    // The value is not a number so lets proceed. //
                
    else  
                    { 
                    
    // Now making sure the string is not to short to avoid laziness //
                    
    if (strlen($value) < 5)
                    {
                        
    // Sets the error as to short. //
                        
    $error "The title field is to short, It must be greater than 5 characters.";
                    }
                    else if (
    strlen($value) > 60)
                    {
                        
    // Sets the error as to short. //
                        
    $error "The title field is to long, It must be less than 60 characters.";
                    }
                    else
                    {
                        
    // The validated value is returned to the browser. // 
                        
    $valid_value $value
                    }
                }
            } 
            else
            {
             
    // Return a error for invalid input. // 
                
    $error "The title field makes no sense."
            }
        } 
        
    $return_vals["error"] = $error;
        
    $return_vals["validated_output"] = $valid_value;
        return 
    $return_vals;
    }

    function 
    form_body_validate($value
    // Function for text field validation // 

        
    // First stage is to convert the string to html specialchars for php to stop injection. // 
        
    $value htmlspecialchars($valueENT_QUOTES"UTF-8"); 
        
    // Strip tags // 
        
    $value strip_tags($value); 

        
    // Trimming excess space from the value. // 
        
    if(!$value || strlen($value trim($value)) == 0)
        {
            
    // If the value is empty. //
            
    $error "The body of this post is empty.";
        }
        else
        { 
            
    /* Checking to make sure the value makes sense.
                a valid input would be "Hello"
                invalid inputs. ".", "...", "    /"
            */
               
    if (preg_match('/[\w]{1,}/'$value)) 
            { 
                
    // Checking if the value is a number. //
                
    if (is_numeric($value)) 
                { 
                        
    // Sets the is numeric error. // 
                    
    $error "The body of your post is numeric, It must be alpha-numeric.";
                }
                
    // The value is not a number so lets proceed. //
                
    else  
                    { 
                    
    // Now making sure the string is not to short to avoid laziness //
                    
    if (strlen($value) < 5)
                    {
                        
    // Sets the error as to short. //
                        
    $error "The body of your post is to short, It must be greater than 5 characters.";
                    }
                    else if (
    strlen($value) > 12500)
                    {
                        
    // Sets the error as to short. //
                        
    $error "The body of your post is too long, It must be less than 12500 characters.";
                    }
                    else
                    {
                        
    // The validated value is returned to the browser. // 
                        
    $valid_value $value
                    }
                }
            } 
            else
            {
             
    // Return a error for invalid input. // 
                
    $error "The body makes no sence."
            }
        } 
        
    $return_vals["error"] = $error;
        
    $return_vals["validated_output"] = $valid_value;
        return 
    $return_vals;
    }

    ?>

    <html>
        <head>
            <title>Text Validation</title>
            <style type="text/css">
                body {
                    background-color: #ffffff;
                    color: #333;
                    font-family: Geneva,Arial,Helvetica,sans-serif;
                }
                h1 {
                    line-height: 1.6em;
                    font-size: 1.6em;
                    margin: 0em 0em 0em 0em;
                    padding: 0em 0em 0em 0em;
                }
                h2 {
                    line-height: 1.2em;
                    font-size: 1.2em;
                    margin: 0em 0em 0em 0em;
                    padding: 0em 0em 0em 0em;
                }
                label {
                    display: inline;
                    font-size: 0.8em;
                    margin: 2px;
                }
                p {
                    font-size: 1em;
                    line-height: 1.2em;
                    padding: 0em 0em 0em 0em;
                    margin: .2em 0 .6em 0;
                }
                ul {
                    font-size: 0.8em;
                    color: #ff4444;
                     margin: 0; padding: 0;
                     list-style: none;
                }
            </style>
        </head>
    <body>
    <?php
    if (!isset($_GET['validate']))
    {
        
    // Title //
        
    echo '<h1>Input form</h1>';
        
        
    // Form //
        
    echo '<form name="input_validation" action="text_validation.php?validate" method="post">';
        
        
    // Title //
        
    echo '<p><label for="title">Title:</label><input type="text" name="title"></p>';
        
        
    // Body //
        
    echo '<p><label for="body">Body:</label><br /><textarea name="body" cols="40" rows="5"></textarea></p>';
        
        
    // Submit //
        
    echo '<input type="submit" value="submit">';
        
        
    // End form //
        
    echo '</form>';
    }
    if (isset(
    $_GET['validate']))
    {
        
    // Title //
        
    echo '<h1>Output</h1>';
        
        
    // errors //
        
        // Begin unordered list //
        
    echo '<ul>';
            
        
    // Returns the form errors //
        
        // title //
        
    $error_validate form_title_validate($_POST['title']);
        if (isset(
    $error_validate))
        {
            echo 
    '<li>'.$error_validate['error'].'</li>';
        }
        
        
    // Body //
        
    $error_validate form_body_validate($_POST['body']);
        if (isset(
    $error_validate))
        {
            echo 
    '<li>'.$error_validate['error'].'</li>';
        }
        
        
    // End of unordered list //
        
    echo '</ul>';
        
    // end errors //
        
        // Getting the title's value back //
        
    $title form_title_validate($_POST['title']);
        echo 
    '<h3>'.stripslashes($title['validated_output']).'</h3>';
        
        
    // Getting the title's value back //
        
    $body form_body_validate($_POST['body']);
        echo 
    '<p>'.stripslashes($body['validated_output']).'</p>';
        
        
    // back button //
        
    echo '<a href="text_validation.php">Back</a>';
    }
    ?>
    </body>
    </html>

    For the body function i would like it to keep some of the HTML coding such as <p> and <h1> yet exclude other coding such as <script> is there a easy way for me to implement this into the forum_body_validate function.
     
  2. angelwatt Moderator emeritus

    angelwatt

    Joined:
    Aug 16, 2005
    Location:
    USA
    #2
    See the documentation for strip_tags as there is a second argument you can use to list exceptions when stripping out tags. I believe this is what you're after.
     
  3. Cabbit thread starter macrumors 68020

    Cabbit

    Joined:
    Jan 30, 2006
    Location:
    Scotland
    #3
    thanks, but is that what is making it replace the tag <p> with <p> ?
     
  4. angelwatt Moderator emeritus

    angelwatt

    Joined:
    Aug 16, 2005
    Location:
    USA
    #4
    Ah, no, the function htmlspecialchars is what is doing that. You can try to use the htmlspecialchars function after you do a strip tags call. Then if you need the < and > back in place you can do a search and replace on the string.

    PHP:
    $value strip_tags($value'<p><h1>');
    $value htmlspecialchars($valueENT_QUOTES"UTF-8"); 
    $value preg_replace('/<([^(>)]+)>/m''<$1>' $value);
    Just a note I haven't test the above replace code.
     
  5. Cabbit thread starter macrumors 68020

    Cabbit

    Joined:
    Jan 30, 2006
    Location:
    Scotland
    #5
    Hey thanks it works great. Any idea how secure this code will be for preventing SQL injection?
    My learning of functions is aimed at really bettering my understanding of coding to make coding much easier for myself, next on my list is classes.
     
  6. angelwatt Moderator emeritus

    angelwatt

    Joined:
    Aug 16, 2005
    Location:
    USA
    #6
    -deleting chunk-

    As far as blocking SQL injections, I don't use databases much, but my current block is done by,
    PHP:
    $regInject "/bcc:|cc:|multipart|\[url|\[link|Content-Type:/i";
    if (
    preg_match($regInject,implode($_POST))) { ...}
    // and for pulling items out of $_POST or the like
    $name stripslashes(strip_tags($_POST['name']));
    but that was for a feedback form where I was trying to stop email hijacking. The mysql_real_escape_string function is one to look at though.

    Some reading:
    http://blog.phpkemist.com/2007/07/1...-using-php-programming-and-mysql-programming/
    http://www.tizag.com/mysqlTutorial/mysql-php-sql-injection.php
     
  7. Cabbit thread starter macrumors 68020

    Cabbit

    Joined:
    Jan 30, 2006
    Location:
    Scotland
    #7
    I have been working on it a little more and its starting to shape up to do a lot of stuff that i have been wanting it to do. But i am having a problem when it gets something like <p style="text-align: center; "> with it not treating that the same as a <p> tag. I have tried a few things out but am not getting anywhere with it.

    PHP:
    function form_body_validate($value
    // Function for text field validation // 

        
    // Removing the leading space that is annoying. //
        
    $value preg_replace('/ /i'''$value);

        
    // Sets the allowed taggs //
            
    $value strip_tags($value'<p><h1><h2><h3><img><p style="text-align: center; ">');
        
        
    // Does the htmlspecialchars bit //
        
    $value htmlspecialchars($valueENT_QUOTES"UTF-8"); 
        
        
    // Returns the < > instead of the special html bits. //
        
    $value preg_replace('/<([^(>)]+)>/''<$1>'$value);
        
        
    // Trimming excess space from the value. // 
        
    if(!$value || strlen($value trim($value)) == 0)
        {
            
    // If the value is empty. //
            
    $error "The body of this post is empty.";
        }
        else
        { 
            
    /* Checking to make sure the value makes sense.
                a valid input would be "Hello"
                invalid inputs. ".", "...", "    /"
            */
               
    if (preg_match('/[\w]{1,}/'$value)) 
            { 
                
    // Checking if the value is a number. //
                
    if (is_numeric($value)) 
                { 
                        
    // Sets the is numeric error. // 
                    
    $error "The body of your post is numeric, It must be alpha-numeric.";
                }
                
    // The value is not a number so lets proceed. //
                
    else  
                    { 
                    
    // Now making sure the string is not to short to avoid laziness //
                    
    if (strlen($value) < 5)
                    {
                        
    // Sets the error as to short. //
                        
    $error "The body of your post is to short, It must be greater than 5 characters.";
                    }
                    else if (
    strlen($value) > 12500)
                    {
                        
    // Sets the error as to short. //
                        
    $error "The body of your post is too long, It must be less than 12500 characters.";
                    }
                    else
                    {
                        
    // The validated value is returned to the browser. // 
                        
    $valid_value $value
                    }
                }
            } 
            else
            {
             
    // Return a error for invalid input. // 
                
    $error "The body makes no sence."
            }
        } 
        
    $return_vals["error"] = $error;
        
    $return_vals["validated_output"] = $valid_value;
        return 
    $return_vals;
    }
     
  8. angelwatt Moderator emeritus

    angelwatt

    Joined:
    Aug 16, 2005
    Location:
    USA
    #8
    Well, when pre-built functions got you down, devise your own. Actually we can do this with Regexp, but I suppose you could turn it into a function too.

    PHP:
    // Replace
    $value strip_tags($value'<p><h1><h2><h3><img><p style="text-align: center; ">');
    // with
    $value preg_replace('/<\/?(?:\b(?!(p\b)|(h[1-3])|(img))[^>]+?)>/i'''$value);
    I tested the above with the following text
    PHP:
    $str = <<<EOF
    <h1>Heading</h1>
    <p>A <strong>paragraph</strong></p>
    <p style="text-align: center; ">Another
    <img src="image.jpg" alt="" /> paragraph.</p>

    EOF;
    and it worked as expected, stripping the strong tag and leaving everything else. You can test the regexp on my regular expression testing tool (ah, shameless plug). As a note, the (p\b) part of the regexp above keeps it from matching the pre, param, and samp (and some others) tags.
     
  9. Cabbit thread starter macrumors 68020

    Cabbit

    Joined:
    Jan 30, 2006
    Location:
    Scotland
    #9
    http://abcomforts.com/test/text_validation.php

    This is a link to the actual script in motion. ^_^ what i am trying to do is make it so only the fields i have specified in fckeditor are allowed. So far smilies, img and font indent does not work and i don't think that centering and stuff works ether.

    PHP:
    <?php
    function form_title_validate($value
    // Function for text field validation // 

        
    // First stage is to convert the string to html specialchars for php to stop injection. // 
        
    $value htmlspecialchars($valueENT_QUOTES"UTF-8"); 
        
    // Strip tags // 
        
    $value strip_tags($value); 

        
    // Trimming excess space from the value. // 
        
    if(!$value || strlen($value trim($value)) == 0)
        {
            
    // If the value is empty. //
            
    $error "The title field is empty.";
        }
        else
        { 
            
    /* Checking to make sure the value makes sense.
                a valid input would be "Hello"
                invalid inputs. ".", "...", "    /"
            */
               
    if (preg_match('/[\w]{1,}/'$value)) 
            { 
                
    // Checking if the value is a number. //
                
    if (is_numeric($value)) 
                { 
                        
    // Sets the is numeric error. // 
                    
    $error "The title field is numeric it must be alpha-numeric.";
                }
                
    // The value is not a number so lets proceed. //
                
    else  
                    { 
                    
    // Now making sure the string is not to short to avoid laziness //
                    
    if (strlen($value) < 5)
                    {
                        
    // Sets the error as to short. //
                        
    $error "The title field is to short, It must be greater than 5 characters.";
                    }
                    else if (
    strlen($value) > 60)
                    {
                        
    // Sets the error as to short. //
                        
    $error "The title field is to long, It must be less than 60 characters.";
                    }
                    else
                    {
                        
    // The validated value is returned to the browser. // 
                        
    $valid_value $value
                    }
                }
            } 
            else
            {
             
    // Return a error for invalid input. // 
                
    $error "The title field makes no sense."
            }
        } 
        
    $return_vals["error"] = $error;
        
    $return_vals["validated_output"] = $valid_value;
        return 
    $return_vals;
    }

    function 
    form_body_validate($value
    // Function for text field validation // 

        
    // Removing the leading space that is annoying. //
        
    $value preg_replace('/ /i'''$value);

        
    // Sets the allowed taggs //
        
    $value preg_replace('/<\/?(?:\b(?!(p\b)|(h[1-3])|(img))[^>]+?)>/i'''$value);  
        
        
    // Does the htmlspecialchars bit //
        
    $value htmlspecialchars($valueENT_QUOTES"UTF-8"); 
        
        
    // Returns the < > instead of the special html bits. //
        
    $value preg_replace('/<([^(>)]+)>/''<$1>'$value);
        
        
    // Trimming excess space from the value. // 
        
    if(!$value || strlen($value trim($value)) == 0)
        {
            
    // If the value is empty. //
            
    $error "The body of this post is empty.";
        }
        else
        { 
            
    /* Checking to make sure the value makes sense.
                a valid input would be "Hello"
                invalid inputs. ".", "...", "    /"
            */
               
    if (preg_match('/[\w]{1,}/'$value)) 
            { 
                
    // Checking if the value is a number. //
                
    if (is_numeric($value)) 
                { 
                        
    // Sets the is numeric error. // 
                    
    $error "The body of your post is numeric, It must be alpha-numeric.";
                }
                
    // The value is not a number so lets proceed. //
                
    else  
                    { 
                    
    // Now making sure the string is not to short to avoid laziness //
                    
    if (strlen($value) < 12)
                    {
                        
    // Sets the error as to short. //
                        
    $error "The body of your post is to short, It must be greater than 5 characters.";
                    }
                    else if (
    strlen($value) > 12500)
                    {
                        
    // Sets the error as to short. //
                        
    $error "The body of your post is too long, It must be less than 12500 characters.";
                    }
                    else
                    {
                        
    // The validated value is returned to the browser. // 
                        
    $valid_value $value
                    }
                }
            } 
            else
            {
             
    // Return a error for invalid input. // 
                
    $error "The body makes no sence."
            }
        }
        
        
    // Returning the values as an array. //
        
        // Set the error message. //
        
    $return_vals["error"] = $error;
        
        
    // Set the vailid output. //
        
    $return_vals["validated_output"] = $valid_value;
        
        
    // Return the array. //
        
    return $return_vals;
        
        
    // End function. //
    }
    ?>

    <html>
        <head>
            <title>Text Validation</title>
            <style type="text/css">
                body {
                    background-color: #ffffff;
                    color: #333;
                    font-family: Geneva,Arial,Helvetica,sans-serif;
                }
                h1 {
                    line-height: 1.6em;
                    font-size: 1.6em;
                    margin: 0em 0em 0em 0em;
                    padding: 0em 0em 0em 0em;
                }
                h2 {
                    line-height: 1.2em;
                    font-size: 1.2em;
                    margin: 0em 0em 0em 0em;
                    padding: 0em 0em 0em 0em;
                }
                h4 {
                    line-height: 1.2em;
                    font-size: 1.2em;
                    margin: 0em 0em 0em 0em;
                    padding: 0em 0em 0em 0em;
                }
                label {
                    display: inline;
                    font-size: 0.8em;
                    margin: 2px;
                }
                p {
                    font-size: 1em;
                    line-height: 1.2em;
                    padding: 0em 0em 0em 0em;
                    margin: .2em 0 .6em 0;
                }
                ul {
                    font-size: 0.8em;
                    color: #ff4444;
                     margin: 0; padding: 0;
                     list-style: none;
                }
            </style>
        </head>
    <body>
    <?php
    if (!isset($_GET['validate']))
    {
        
    // Title //
        
    echo '<h1>Input form</h1>';
        
        
    // Form //
        
    echo '<form name="input_validation" action="text_validation.php?validate" method="post">';
        
        
    // Title //
        
    echo '<p><label for="title">Title:</label><input type="text" name="title"></p>';
        
        
    // Body //
        
    echo '<p>Body:</label><br />';
            include(
    "../editor/fckeditor.php");
            
    $oFCKeditor->BasePath '../editor/' ;    // '/fckeditor/' is the default value
            
    $sBasePath '../editor/' ;
            
    $oFCKeditor = new FCKeditor('body') ;
            
    $oFCKeditor->BasePath    $sBasePath ;
            
    $oFCKeditor->Value        '' ;
            
    $oFCKeditor->Create();
        
        
    // Submit //
        
    echo '<input type="submit" value="submit">';
        
        
    // End form //
        
    echo '</form>';
    }
    if (isset(
    $_GET['validate']))
    {
        
    // Title //
        
    echo '<h1>Output</h1>';
        
        
    // errors //
        
        // Begin unordered list //
        
    echo '<ul>';
            
        
    // Returns the form errors //
        
        // title //
        
    $error_validate form_title_validate($_POST['title']);
        if (isset(
    $error_validate))
        {
            echo 
    '<li>'.$error_validate['error'].'</li>';
        }
        
        
    // Body //
        
    $error_validate form_body_validate($_POST['body']);
        if (isset(
    $error_validate))
        {
            echo 
    '<li>'.$error_validate['error'].'</li>';
        }
        
        
    // End of unordered list //
        
    echo '</ul>';
        
    // end errors //
        
        // original inputs //
        
        
    echo '<h2>The original inputs</h2>';
        echo 
    stripslashes($_POST['body']);
        
        
        
    // Getting the title's value back //
        
    $title form_title_validate($_POST['title']);
        echo 
    '<h3>'.stripslashes($title['validated_output']).'</h3>';
        
        
    // Getting the title's value back //
        
    $body form_body_validate($_POST['body']);
        echo 
    ''.stripslashes($body['validated_output']).'';
        
        
    // back button //
        
    echo '<br /><a href="text_validation.php">Back</a>';
    }
    ?>
    </body>
    </html>
     
  10. angelwatt Moderator emeritus

    angelwatt

    Joined:
    Aug 16, 2005
    Location:
    USA
    #10
    I'm not quite following. How are things working and not working (specifically)? I've never used FCKEditor so not sure how you specified what fields were allowed and such. You have a lot of code there, so specifics of where you're needing help will go a long ways of helping us help you.

    When I tried the page it seemed to do what I believe you wanted it to do, so that's what's kind of confusing me.
     
  11. memco macrumors 6502

    Joined:
    May 1, 2008
    #11
    It looked to me like your two validate functions were identical. In that case, you could just have the function validate() and pass both the title and body through it (even including optional params like what constitutes too long or short).
     
  12. SrWebDeveloper macrumors 68000

    SrWebDeveloper

    Joined:
    Dec 7, 2007
    Location:
    Alexandria, VA, USA
    #12
    Yes, I would do that also in the end - to streamline code and consolidate into one function, but the OP is concentrating on getting the validation to work right now.

    FCKEditor is a freeware WYSIWYG editor for replacing textarea form field inputs in forms. It allows you to define what HTML tags users can use as buttons in the editor toolbar, as configured in fckconfig.js, and it limited. So writing a server side validation function using PHP's strip_tags is the way to go for HTML tags.

    As to smilies, it's up to babyjenniferLB to define an array of all smilie sequences and include that in her validation to strip those, if they want the editor to allow smilies. It's a simple matter of including all smilies in a test post, view the source and get the sequences from there. The same is true for anything else non-HTML that must be stripped.

    For example, if smilies are saved as text sequences:
    Code:
    $smilies_arr=array(":)",";)",":(");
    If FCKEditor converts them to images then the IMG tag strip is sufficient, but if they want to remove ONLY smilie images then it'll take more code to scan each img tag found for certain keywords and then strip the tag, or maybe setup another array with the full img tag for each smilie.

    Then do your preg_replace or whatever to strip.

    -jim
     
  13. Cabbit thread starter macrumors 68020

    Cabbit

    Joined:
    Jan 30, 2006
    Location:
    Scotland
    #13
    I got smilies working now but i can't get anything that is a <p style> working.
     
  14. SrWebDeveloper macrumors 68000

    SrWebDeveloper

    Joined:
    Dec 7, 2007
    Location:
    Alexandria, VA, USA
    #14
    Not following you. There is <P style="whatever CSS you want"> ?? and what do you mean by "working" ? Are you trying to strip P tags that contain the style attribute?
     
  15. Cabbit thread starter macrumors 68020

    Cabbit

    Joined:
    Jan 30, 2006
    Location:
    Scotland
    #15
    http://abcomforts.com/test/text_validation.php

    try it out, when i you put in text and center it on the validated page, one is correct and the other shows <p style="text-align: center; ">
     
  16. angelwatt Moderator emeritus

    angelwatt

    Joined:
    Aug 16, 2005
    Location:
    USA
    #16
    Looks like it's from this line,
    PHP:
    $value preg_replace('/<([^(>)]+)>/''<$1>'$value);
    Try this one,
    PHP:
    $value preg_replace('/<(.*?)>/''<$1>'$value);
    I wonder who gave you that earlier code ;) In fairness, I did say that line was untested, but this new one is.
     
  17. Cabbit thread starter macrumors 68020

    Cabbit

    Joined:
    Jan 30, 2006
    Location:
    Scotland
    #17
    Only thing not working now is " i tried just adding it. erm that don't work.
    <p style="text-align: center; ">

    Problem i see is how to get it to only have " inside a <p> :/
     
  18. angelwatt Moderator emeritus

    angelwatt

    Joined:
    Aug 16, 2005
    Location:
    USA
    #18
    Add this before or after the replace line we just edited.
    PHP:
    $value str_replace('"''"'$value);
    The htmlspecialchars function seems to be causing some extra code. You might want to consider getting rid of it, or finding alternatives.
     
  19. SrWebDeveloper macrumors 68000

    SrWebDeveloper

    Joined:
    Dec 7, 2007
    Location:
    Alexandria, VA, USA
    #19
    There is no need to use htmlspecialchars prior to validation, that should be done after all processing is done when data is to be displayed as HTML or submitted into a DB or XML is involved. Similarly, if the FCKeditor is generating encoding output, i.e. """ for a double quote, then prior to validation I'd run html_entity_decode() on it if PHP4 or htmlspecialchars_decode() if PHP5 each with the ENT_QUOTES added as the second argument so single and double quotes are both converted, then encode (the reverse) always before output/DB/XML.

    There is to say it's EASIER to validate decoded characters than having to account for all the encoded characters. Makes the code easier to write and understand. I didn't say required.

    -jim
     
  20. Cabbit thread starter macrumors 68020

    Cabbit

    Joined:
    Jan 30, 2006
    Location:
    Scotland
    #20
    ^_^ there thats everything working braw now i thinks. I suppose the only thing i would want to look at now is these pram things someone mentioned and some conditional logic for the $value = str_replace('"', '"', $value);
    to only do the replace if it is part of a <p style but i wonder if that would be far to difficult to be worth it.


    PHP:
    function form_body_validate($value
    // Function for text field validation // 

        
    // Removing the leading space that is annoying. //
        
    $value preg_replace('/ /i'''$value);

        
    // Sets the allowed taggs //
        
    $value preg_replace('/<\/?(?:\b(?!(p\b)|(h[4-6])|(img))[^>]+?)>/i'''$value);  
        
        
    // Does the htmlspecialchars bit //
        
    $value htmlspecialchars($valueENT_QUOTES"UTF-8"); 
        
        
    // Returns the < > instead of the special html bits. //
        
    $value preg_replace('/<(.*?)>/''<$1>'$value);  
        
        
    // Makes Quote marks //
        
    $value str_replace('"''"'$value); 
        
        
    // Trimming excess space from the value. // 
        
    if(!$value || strlen($value trim($value)) == 0)
        {
            
    // If the value is empty. //
            
    $error "The body of this post is empty.";
        }
        else
        { 
            
    /* Checking to make sure the value makes sense.
                a valid input would be "Hello"
                invalid inputs. ".", "...", "    /"
            */
               
    if (preg_match('/[\w]{1,}/'$value)) 
            { 
                
    // Checking if the value is a number. //
                
    if (is_numeric($value)) 
                { 
                        
    // Sets the is numeric error. // 
                    
    $error "The body of your post is numeric, It must be alpha-numeric.";
                }
                
    // The value is not a number so lets proceed. //
                
    else  
                    { 
                    
    // Now making sure the string is not to short to avoid laziness //
                    
    if (strlen($value) < 12)
                    {
                        
    // Sets the error as to short. //
                        
    $error "The body of your post is to short, It must be greater than 5 characters.";
                    }
                    else if (
    strlen($value) > 12500)
                    {
                        
    // Sets the error as to short. //
                        
    $error "The body of your post is too long, It must be less than 12500 characters.";
                    }
                    else
                    {
                        
    // The validated value is returned to the browser. // 
                        
    $valid_value $value
                    }
                }
            } 
            else
            {
             
    // Return a error for invalid input. // 
                
    $error "The body makes no sence."
            }
        }
        
        
    // Returning the values as an array. //
        
        // Set the error message. //
        
    $return_vals["error"] = $error;
        
        
    // Set the vailid output. //
        
    $return_vals["validated_output"] = $valid_value;
        
        
    // Return the array. //
        
    return $return_vals;
        
        
    // End function. //
    }
     
  21. angelwatt Moderator emeritus

    angelwatt

    Joined:
    Aug 16, 2005
    Location:
    USA
    #21
    Looking at your code, of the lines below, only the first two are necessary. The last two are only there because of the third line. Looking through your other validation code, I don't think the htmlspecialchars function matters. The outcome will be the same because the code doesn't check anything that would be different after that function is called. Using just the two lines will remove your problems as well.
    PHP:
        // Removing the leading space that is annoying. //
        
    $value preg_replace('/ /i'''$value);
        
    // Sets the allowed taggs //
        
    $value preg_replace('/<\/?(?:\b(?!(p\b)|(h[4-6])|(img))[^>]+?)>/i'''$value);  
        
    // Does the htmlspecialchars bit //
        
    $value htmlspecialchars($valueENT_QUOTES"UTF-8"); //delete
        // Returns the < > instead of the special html bits. //
        
    $value preg_replace('/<(.*?)>/''<$1>'$value);  //delete
        // Makes Quote marks //
        
    $value str_replace('"''"'$value); // delete
    If you're putting the content into a DB, then you may want to use the mysql_real_escape_string function right before you place it in the DB, but may not need to be done here in these functions.
     
  22. Cabbit thread starter macrumors 68020

    Cabbit

    Joined:
    Jan 30, 2006
    Location:
    Scotland
    #22


    Was hoping this would be good for form validation and for when i post it to the database. Kinda like a jack of all trades.
     

Share This Page