regular expressions to look for specific series of character

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
kippy
Forum Commoner
Posts: 84
Joined: Wed Jun 07, 2006 8:25 pm

regular expressions to look for specific series of character

Post by kippy »

I am not sure the best way to ask this, but how can regular expressions be used to validate that a field entry does not include <> </> html tags, etc? The field entry would be rather random and can include - and /

Thanks for the advice.
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

you could just assume it does and use strip_tags() or possibly Ambush Commander's HTML cleaning class.
kippy
Forum Commoner
Posts: 84
Joined: Wed Jun 07, 2006 8:25 pm

Post by kippy »

Thanks for the quick reply....you are watching the board like a hawk...

I can look into your first option, but the second one was complete giberish to me...

Thanks for the advice!
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

Stevenr
Forum Newbie
Posts: 3
Joined: Sat Oct 14, 2006 7:54 pm

Post by Stevenr »

feyd | Please use

Code: Select all

,

Code: Select all

and [syntax="..."] tags where appropriate when posting code. Your post has been edited to reflect how we'd like it posted. Please read:  [url=http://forums.devnetwork.net/viewtopic.php?t=21171]Posting Code in the Forums[/url] to learn how to do it too.[/color]

Code: Select all

if($str === html_entity_decode(strip_tags($str)))
{
// Doesn't contains tags
}
else
{
//Does contain tags
}

feyd | Please use

Code: Select all

,

Code: Select all

and [syntax="..."] tags where appropriate when posting code. Your post has been edited to reflect how we'd like it posted. Please read:  [url=http://forums.devnetwork.net/viewtopic.php?t=21171]Posting Code in the Forums[/url] to learn how to do it too.[/color]
kippy
Forum Commoner
Posts: 84
Joined: Wed Jun 07, 2006 8:25 pm

Post by kippy »

strip_tags() appears to work perfectly...are there any flaws in tis that I need to worry about?

Thanks again for the advice!
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

strip_tags() is a fairly, shall I say, dumb function. It has the potential to cut tags incorrectly quite easily.
kippy
Forum Commoner
Posts: 84
Joined: Wed Jun 07, 2006 8:25 pm

Post by kippy »

well it should help in my case...i mean i am still going to receive the unwanted emails from the form, but te links will be removed(hopefully)....I need to think of a way to validate the fields before the email is sent...I wonder if I could create an array of keywords to block the email from being sent out.
kippy
Forum Commoner
Posts: 84
Joined: Wed Jun 07, 2006 8:25 pm

Post by kippy »

or if I use a random function to have the user fill in a response to match the random variable.....annoying, but maybe it will deter the emails from coming all the time.
User avatar
Cameri
Forum Commoner
Posts: 87
Joined: Tue Apr 12, 2005 4:12 pm
Location: Santo Domingo, Dominican Republic

Post by Cameri »

What I would do is convert those special characters, <, /, >, etc, to HTML entities.
User avatar
Ambush Commander
DevNet Master
Posts: 3698
Joined: Mon Oct 25, 2004 9:29 pm
Location: New Jersey, US

Post by Ambush Commander »

I don't see why you can't just use htmlspecialchars()
Post Reply