Web Analytics Made Easy -
StatCounter cleanin up contact textarea - CodingForum

Announcement

Collapse
No announcement yet.

cleanin up contact textarea

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • cleanin up contact textarea

    Hi, i have a contact form and i have been playing with nl2br as well as stripslashes, htmlspecialchars, htmlentities. To try to clean this up, i am obviously doing it wrong, is there a special order they need to be in if i mix them.

    here is what i have right now..

    Code:
    $message = stripslashes(htmlspecialchars($message));

    and here is a sample of what is on the form when i get it in the mail.

    Customer Text: now lets see what happens when i press return right here <br /> <br />now lets see about spaces  <br /> <br />now lets try <br />

    how would i go about cleaning up that result.
    If a php file only has php code within it you do not need to use the closing php tag
    A good way to remember objects from arrays is you shoot objects with arrows Example: $name->id; then Arrays are $name['id'];
    durangod is short for durango dave

  • #2
    Try this:
    PHP Code:
    $message htmlspecialchars_decode($message); 
    If you can't stand behind your troops, feel free to stand in front of them
    Semper Fidelis

    Comment


    • #3
      appreciate that but unfortunely it still came thru as this


      Customer Text: ok lets try this now &nbsp;<br />to see what happens now&nbsp;<br />&nbsp;<br />ok now what
      If a php file only has php code within it you do not need to use the closing php tag
      A good way to remember objects from arrays is you shoot objects with arrows Example: $name->id; then Arrays are $name['id'];
      durangod is short for durango dave

      Comment


      • #4
        Originally posted by durangod View Post
        appreciate that but unfortunely it still came thru as this
        I don't really get what the problem is with that output? Surely that's the kind of output you would want, in order to format it properly in html?
        Useful function to retrieve difference in times
        The best PHP resource
        A good PHP FAQ
        PLEASE remember to wrap your code in [PHP] tags.
        PHP Code:
        // Replace this
        if(isset($_POST['submitButton']))
        // With this
        if(!empty($_POST))
        // Then check for values/forms. Some IE versions don't send the submit button 
        Always code as if the guy who ends up maintaining your code will be a violent psychopath who knows where you live.

        Comment


        • #5
          Why is that stuff in there in the first place? If you got a simple textarea in your contact form, the server receives its contents as pure text, so obviously you are doing something to it afterwards. Whatever that is, don't do it, and you'll be fine.
          .My new Javascript tutorial site: http://reallifejs.com/
          .Latest article: Calculators — Tiny jQuery calculator, Full-fledged OOP calculator, Big number calculator
          .Latest quick-bit: Including jQuery — Environment-aware minification and CDNs with local fallback

          Comment


          • #6
            This is one of those common mistakes learners put into all their security efforts. Put a few functions that convert strings with html code and strip some slashes and all will be safe. Unfortunately it doesn't work like that, you need to examine each function and see what it actually does and how SQL injections actually work before you can fight off an attack. Unfortunately most learners just think throwing those functions into a custom function will just 'work'.

            Textareas don't need html text so if you're trying to put it there from a database you don't even need to use nl2br() as text areas in effect use the <pre> tags internally.
            "Tango says double quotes with a single ( ' ) quote in the middle"
            '$Name says single quotes with a double ( " ) quote in the middle'
            "Tango says double quotes ( \" ) must escape a double quote"
            '$Name single quotes ( \' ) must escape a single quote'

            Comment


            • #7
              ok thanks i will recheck after while to make sure (i didnt see any so far) i dont have any other filters for that form input and if i find one remove it.. thanks

              And the reasons i dont like it is if its just a sentence or two its ok. But some of my customers write books and when its that long its very hard to follow properly. Also if they send me a long book type reply about how much they love my service and agree to let me post the testimonial then i have to spend forever to clean it up first.

              and i just saw that, tango thanks, the nice thing about it is that this contact system does not connect to the db at all, its all internal, it stores nor retrieves nothing from the db, there is not even a connection to it, so i dont even need mysql_real_escape_string. (or do i lol )
              Last edited by durangod; Aug 18, 2011, 06:42 PM.
              If a php file only has php code within it you do not need to use the closing php tag
              A good way to remember objects from arrays is you shoot objects with arrows Example: $name->id; then Arrays are $name['id'];
              durangod is short for durango dave

              Comment

              Working...
              X