Page 1 of 1

Stripping tags!!!

Posted: Thu Mar 18, 2004 2:57 pm
by Joe
I have been trying to remove all html/script tags to prevent it from showing on the main news area. This is because my site was attacked and script was injected through the news area redirecting to another site. I have tried:

<?php
$link = mysql_connect("???", "???", "???");
mysql_select_db("???") or die("couldnt connect" . mysql_error());
$sql = "SELECT * FROM news ORDER BY ID";
$result = mysql_query($sql) or die(mysql_error());

while (true)
{
$row = mysql_fetch_assoc($result);
if ($row == false) break;
echo "<img src='news.gif' border=1>";
$headline = $row['headline'];
$username = $row['username'];
$mainnews = $row['mainnews'];

$headline1 = striptags($headline);
$username1 = striptags($username);
$mainnews1 = striptags($mainnews);

echo "<br><u><b>.:'$headline1':.<U></b> posted by '$username' <br>";
echo "'$mainnews'<br>";
echo "<hr color='white'>";
}
?>

Please help!

Regards


Joe 8)

Re: Stripping tags!!!

Posted: Thu Mar 18, 2004 3:00 pm
by TheBentinel.com

Code: Select all

$headline = $row['headline'];
  $username = $row['username'];
  $mainnews = $row['mainnews'];

  $headline1 = striptags($headline);
  $username1 = striptags($username);
  $mainnews1 = striptags($mainnews);

  echo "<br><u><b>.:'$headline1':.<U></b> posted by '$username' <br>"; 
  echo "'$mainnews'<br>"; 
  echo "<hr color='white'>";
Should your echo statements be using the $username1 and $mainnews1 variables? They are using the variables in their unstripped state.

Posted: Thu Mar 18, 2004 3:02 pm
by Illusionist
i think your best bet owuld be to striptags() before you even insert intot he database.... And what was your actual question??

EDIT:: nice catch Bentinel!!

Posted: Thu Mar 18, 2004 3:06 pm
by Joe
Oh ya i forgot. How stupid of me. The problem is that when i try the code out i get a mySQL error. So what should i do with the script.

Posted: Thu Mar 18, 2004 3:12 pm
by TheBentinel.com
Joe wrote:Oh ya i forgot. How stupid of me. The problem is that when i try the code out i get a mySQL error. So what should i do with the script.
What error do you get?

Often I find that if I take the most unique chunk of text from an error message and search on it in Google and/or google groups, I find some poor fool that's already faced and fixed my problem. Give that a go, too, nobody gets back to you faster than a web search!

[Thanks, Illusionist!]

Posted: Thu Mar 18, 2004 3:47 pm
by Joe
I tried googling with no luck. The error is:

Fatal error: Call to undefined function: striptags() in /home/.sites/27/site244/web/index.php on line 228

Can anyone make anything from it?

Regards


Joe 8)

Posted: Thu Mar 18, 2004 9:09 pm
by TheBentinel.com
Joe wrote:Fatal error: Call to undefined function: striptags() in /home/.sites/27/site244/web/index.php on line 228
Sorry, I shoulda caught that earlier. The function is called "strip_tags"
http://us3.php.net/manual/en/function.strip-tags.php

It's worthy of note, though, that if you're getting an error message, you need to post the entire text of that message in the forum. I could've looked at "striptags()" for the rest of my life and not caught on that it was bad, but looking at the error, it's obvious.