Hi everyone,
Lets say I've got an input for comments that are then displayed on my site.

A: How do I stop people from entering html into the box (escaping it)

B: I'd still like there to be limited html (colours and such) so how could I make something like bbcode or something like that, that would then be changed to html tags???


Thanks, Keyboard1333

A: strip_tags() (http://php.net/strip_tags)

B: anything wrong with using BBCode (http://php.net/bbcode)?

Thanks traq,
I didn't realise that bbcode was actually a part of php *FACEPALM*.
I looked at the link you gave me but I found it very hard to understand how to install bbcode. I googled how to install it but I couldn't understand it. Any help on how to install it?

Difficulty in installing it and having it extra-customizable would be a reason to write your own. (I've done that a few times. It's slow, but works out in the end.) If you do want to write your own, you can use regex, or a complicated set of string functions.
I'm not sure, and it might depend on your server. If you want to customize a server, it might be good to look into one that is easiest to manage-- sometimes you don't have permission or direct access on cheaper servers. You may also be able to look into your host's support documents.
But in the end, it could be any number of problems (perhaps specific to the server, or about this extension). Not my area of expertise, but if you figure out a bit more info someone else might know. You could also see if another extension installs well, to see if it's specific to this. And there MUST be a good tutorial out there for some extension, so maybe you can apply it to this one.

Hmmm, thanks for the replies guys (ha that rhymes). I think I'll have a go at making my own.

Is there any reason you couldn't do this



$red = str_replace("[red]", "<span style='color:red;'>", "INPUT HERE");


then repeat it for each tag (not going to have that many), or is there a simpler way I'm missing???

Be very careful doing it that way. You need to add some sort of counter to be sure that the HTML is properly balanced. If you don't allow any dangerous HTML tags (like <script>) then the worst that will happen is that your page will be broken, but that's not good either. It might just be invalid HTML, but it could also severely modify the rest of the page, if, for example, there is an unclosed <div> tag.

Thanks for the tip, I'll fiddle with it later...

BBCode might be available to you already - check your phpinfo().

As Daniel says, if you're only dealing with a few tags, then find->replacing them manually would be fine.
If you want to do anything more complex (or risky, like <div>s or <a>s), I'd suggest figuring out the BBCode extension.

If you want to do anything more complex (or risky, like <div>s or <a>s), I'd suggest figuring out the BBCode extension.

Why do you say divs and/or <a>s are dangerous?

<div>: because they will ruin your page layout very quickly if they're not properly nested.

<a>: same reason, plus different browsers "fix" unclosed <a>s differently: in some cases, the whole rest of the page will be a hyperlink.

another thing to consider if if you accept attribute values. Make sure they're properly validated, or you might end up with injected javascript (XSS attacks).

check.php



<?php
if(isset($_POST['textarea1'])) {
$value = $_POST['textarea1'];
include "bb.php";
echo bb($value);
}
?>
<!DOCTYPE html>
<html>
<head>
</head>
<body>
</body>
</html>


bb.php



<?php
function bb($elem) {
while(substr_count($elem, '') > 0 and substr_count($elem, '') > 0) {
$elem = preg_replace('', '<span style="color:red">', $elem, 1);
$elem = preg_replace('', ',</span>', $elem, 1);
}
return $elem;
}
?>


$_POST['textarea1'] is hello

it outputs

[]hello[,]

when I would like it to output

hello

any help?

*BUMP*
I'm still looking for an answer...

<?php
$bbtext = "try something like this";
$find = '#(\[red\])(.*)(\[/red\])#ui':
$replace = '<span style="color: red;">$2</span>';
print preg_replace( $find,$replace,$bbtext );

Is there any way to adapt that to work like this -


$find[0] = '#(\[b\])(.*)(\[/b\])#ui';
$find[1] = '#(\[i\])(.*)(\[/i\])#ui';
$replace[0] = '<b>$2</b>';
$replace[1] = '<i>$2</i>';
for ($counter1 = 0; $counter1 <= count($shortcut); $counter1 += 1) {
$text = preg_replace($find[$counter1],$replace[$counter1],$text);
}

Don't need a loop - preg_replace can take arrays as its arguments.

RocketTheme's RokCandy is on GPL licence, so you could pick that apart and work out the best way to get BBCode style functionality for a lot more complex things than bold and italic.

http://www.rockettheme.com/extensions-joomla/rokcandy

RocketTheme's RokCandy is on GPL licence, so you could pick that apart and work out the best way to get BBCode style functionality for a lot more complex things than bold and italic.

http://www.rockettheme.com/extensions-joomla/rokcandy

Thanks Traq!

Also, Apache Tech, I mentioned ealier in the thread that I only want s few basic bbcodes, not all of them - that's why I'm doing it this way...