$var = str_replace("[player]","<a href=profile.php?t&id=$player", $var); $var = str_replace("[/player]","</a>", $var); PHP: That is what I've got so far, and it is not working. The idea is to let players make links to each other profiles, NOT OUTSIDE THE SITE. so, if one was to write [player]Jack[/player] the outcome would be: <a href="profile.php?id=Jack">Jack</a> PHP: I messed around with this for a few hours, but still couldn't achieve what I wanted. Please help
Regex would be better than str_replace here. Something like: $var = preg_replace('#\[player\](.+?)\[/player\]#', '<a href="profile.php?id=\\1">\\1</a>', $var); PHP:
Thank you! It works nicely. Now my question is, can they modify the link to start stealing each other cookies or whatever. In other words, is it safe to use?
It's not safe as it is. The regex matches anything so if there's no other processing, it could be used to inject HTML/scripts into the page. You should replace .* with a more specific pattern to only allow certain characters. It depends what characters can legitimately be used in your IDs - if it's only alphanumeric, you'll be fine as it is. Otherwise, you'll need further processing to strip out any nasties.
My site is secured and everything is filtered. BUT this won't open up any worm holes? If with those tags they can do everything they can do just by typing in the URL, I'm all good...