1

I want to check some string before sending an email. I have 3 fields: name + email + text

I'm wondering if mysql_escape_string is good even If I'll not insert the values into a sql table. So I used:

PHP code:


  $name = trim($name);
  $name = strip_tags($name);
   # etc

Question:
It's enough?

EDIT: I want to remove HTML Tags (Expet <p> & <br /> from the Text Field) + Trim the strings

Cheerio
  • 1,260
  • 6
  • 19
  • 37
  • What do you mean by "check"? Strip HTML tags? Encode HTML tags? – CodeZombie Jan 21 '12 at 10:30
  • "to check some string" is not quite a good description of what you want to achieve. What do you want to filter out? Do you want to validate it? encode it? get rid of the tags? – Quasdunk Jan 21 '12 at 10:31
  • possible duplicate: http://stackoverflow.com/questions/1336776/xss-filtering-function-in-php – Zul Jan 21 '12 at 10:36
  • simple solution is validate the input fields to the visitors – jogesh_pi Jan 21 '12 at 10:36
  • @Zulkhaery Basrul It's not a duplicate. Read my question, I ask if It's enough – Cheerio Jan 21 '12 at 10:39
  • `mysql_escape_string` is never a good option, not even when you want to insert the string in a MySQL database. – Arjan Jan 21 '12 at 10:42

4 Answers4

2

Actually you can pass strip_tags what you want to allow

example:

<?php
$text = '<p>Test paragraph.</p><br><br>';
// Allow <p> and <br>
echo strip_tags($text, '<p><br>');
?>
1

If you want to remove all HTML Tags except <p> & <br />:

$name = strip_tags(trim($name), '<p><br>');

Second argument to strip_tags­Docs is the allowed tags. But you can not specify which attributes to preserve or drop for the tags with that function.

I'm pretty sure how to do that has been already asked on this site, so you should take a search or look at this duplicate:

Community
  • 1
  • 1
Sarfraz
  • 377,238
  • 77
  • 533
  • 578
  • 1
    But it doesn't strip any attributes like `onclick`! Example: `

    Some text

    `     – ComFreek Jan 21 '12 at 10:44
  • @ComFreek: As a good practice, you should not have inline event handlers in the first place. Your javascript code should be separate and unobstrusive. – Sarfraz Jan 21 '12 at 10:52
  • 2
    @Sarfraz That's not the point if it's about *sanitizing user input*. – deceze Jan 21 '12 at 11:48
1

You really want to read the documentation of filter_var, filter_var_array, filter_input and filter_input_array. That's the modern way to go, with this you're able to compose complex filtering and sanatizing.

Jens Kohl
  • 5,899
  • 11
  • 48
  • 77
0

I didn't create this snippet, and I've misplaced the source, but this function seems to do a decent job of sanitizing for me and my low-traffic sites:

#   Sanitizer function - removes forbidden tags, including script tags
function strip_tags_attributes( $str, 
    $allowedTags = array('<a>','<b>','<blockquote>','<br>','<cite>','<code>','<del>','<div>','<em>','<ul>','<ol>','<li>','<dl>','<dt>','<dd>','<img>','<ins>','<u>','<q>','<h3>','<h4>','<h5>','<h6>','<samp>','<strong>','<sub>','<sup>','<p>','<table>','<tr>','<td>','<th>','<pre>','<span>'), 
    $disabledEvents = array('onclick','ondblclick','onkeydown','onkeypress','onkeyup','onload','onmousedown','onmousemove','onmouseout','onmouseover','onmouseup','onunload') )
{       
    if( empty($disabledEvents) ) {
        return strip_tags($str, implode('', $allowedTags));
    }
    return preg_replace('/<(.*?)>/ies', "'<' . preg_replace(array('/javascript:[^\"\']*/i', '/(" . implode('|', $disabledEvents) . ")=[\"\'][^\"\']*[\"\']/i', '/\s+/'), array('', '', ' '), stripslashes('\\1')) . '>'", strip_tags($str, implode('', $allowedTags)));
}

HTH.

Tieson T.
  • 20,774
  • 6
  • 77
  • 92