quick strip_tags question

jcb33 · 20 Apr 2007 at 15:05

test

Hi all, I have a guestbook, which is inserted into my database, and im trying to strip the html, js etc from it before it is inserted, atm anyone can insert code into my database, which is well, rather bad, I currently have the following code, however it does nothing but insert into my database like normal:

Code:

<?php
				$sel = mysql_connect("localhost","cpanelu_dci125","MonkeyTeaPot");
				if (!$sel)
				{
 					die('Could not connect: ' . mysql_error());
 				}

				mysql_select_db("cpanelu_dci125", $sel);

				strip_tags ($_POST[name]);
				strip_tags ($_POST[email]);
				strip_tags ($_POST[comment]);

				$dat="INSERT INTO guestbook (name, email, comment)		
				
							
				VALUES ('$_POST[name]','$_POST[email]','$_POST[comment]')";
				
				if ($_POST['name'] == NULL)
				{
					die('Please Do Not Leave Any Field Blank, You Will Now Return To The Guestbook!');
				}
				elseif ($_POST['email'] == NULL) {
					die('Please Do Not Leave Any Field Blank, You Will Now Return To The Guestbook!');
				}
				elseif ($_POST['comment'] == NULL) {
					die('Please Do Not Leave Any Field Blank, You Will Now Return To The Guestbook!');
				}
				if (!mysql_query($dat,$sel))
  				{
  					die('Error: ' . mysql_error());
  				}
				
				echo "Thank you for leaving a comment! You will return to the guestbook shortly";

				mysql_close($sel)
			?>

Augmented · 20 Apr 2007 at 15:35

strip_tags returns the string with tags stripped, you can't call by reference.
So,

Code:

$_POST['name'] = strip_tags ($_POST['name']);
$_POST['email'] = strip_tags ($_POST['email']);
$_POST['email']  = strip_tags ($_POST['comment']);

jcb33 · 20 Apr 2007 at 15:38

Augmented said:
strip_tags returns the string with tags stripped, you can't call by reference.
So,

Code:

$_POST['name'] = strip_tags ($_POST['name']); $_POST['email'] = strip_tags ($_POST['email']); $_POST['email'] = strip_tags ($_POST['comment']);

ah, that makes sense, thanks will give it a try

Is there any way to make it throw an error, if it has to remove tags? E.G Sorry you have entered invalida data, please try again.

Because atm, it simply strips it, and then leaves my fields blank returning the "Blank" error

Augmented · 20 Apr 2007 at 15:45

Not with strip_tags(), no. It simply returns a string whatever the result.

Check that the values are not empty with the empty() function before inserting in the database.
http://uk.php.net/manual/en/function.empty.php

jcb33 · 20 Apr 2007 at 15:50

Augmented said:
Not with strip_tags(), no. It simply returns a string whatever the result.

Check that the values are not empty with the empty() function before inserting in the database.
http://uk.php.net/manual/en/function.empty.php

*EDIT* Ok think I have it cracked, it will:

1) Check if any fields are blank, if yes return an error message
2) Strip all html tags from the fields
3) Check if any of the fields are now blank due to being striped, if yes return an error message, else insert into database.

Would anyone mind testing my guestbook please to make sure my database etc is nice and secure and that my page cannot be broken? Thanks

http://cpanel.lincoln.ac.uk/dci125/guestbook/guestbook.shtml

Chrisss · 20 Apr 2007 at 16:30

'Please Do Not Leave Any Field Blank'

Sic · 20 Apr 2007 at 16:42

i didn't notice you were recording email addresses! can you delete post 23, or obscure the email address please

jcb33 · 20 Apr 2007 at 16:43

Sic said:
i didn't notice you were recording email addresses! can you delete post 23, or obscure the email address please

done

Sic · 20 Apr 2007 at 16:46

thanks!