$post=strip($_POST[post]); $post=nl2br($post); PHP: function: if (!function_exists('strip')) { function strip($text) { if(!isset($text)) { return $text; } else { $text=preg_replace("/[^0-9a-z-_. -#]/i",'', $text); $text=htmlspecialchars($text); $text=strip_tags($text); return $text; } } } PHP: If i try to use nl2br with this function it wont work. If i do not use this function it does. I narrowed it down to preg_replace $text=preg_replace("/[^0-9a-z-_. -#]/i",'', $text); PHP: This function was created for me, so i cannot really read the array. I tried to change a few things and i just kept getting errors. So what can i change here to keep the security but still use nl2br in my forum i created. <3 thanks
What is the preg_replace supposed to do in the first place... because that's not really the way to do it Right now you are NEGATING anything that starts from 0 to 9 from a to z and uhh... practically everything preg_replace("/[^0-9a-z-_. -#]/i",'', $text); PHP: anything that starts with [^...] *without the dots* is for the code not to list anything in the pattern means that it will not list anything from that pattern. And if it does it will replace it with nothing.
ok so removing that from the function totally will not affect the security of html post entries?I use this function on anything _GET and _POST and a lot of vars I dont even know if its 100% fool proof, ill cross that bridge later. Ill just comment it out for now. thanks = )
htmlspecialchars() will take care of ampersands and other entities, but still leaves some XSS stuff floating If you are building a forum then just use regex to do BBCodes, but if you are aiming to use html on posts then there's pretty much a lot of reading to do about regular expressions. Nothing is fool proof or bullet proof , there will be always bugs and vulnerabilities so don't worry about it