stripslashes() and htmlspecialchars() problem!

"Phil Powell" <so*****@erols.com> wrote in message
news:F1gWa.130$cf.29@lakeread04...

If $val is the following:

...Just revamped the site's Content Management Application I built.. so do
bear in mind.. sorry!

Phil
stripslashes(htmlspecialchars($val)) should produce the following, or so I
thought:

<input type=hidden name=alert value="...Just revamped the site's Content
Management Application I built.. so do bear in mind..
sorry!&lt;br&gt;&lt;br&gt;Phil">

Instead, I get:

<input type=hidden name=alert value="...Just revamped the site\'s Content
Management Application I built.. so do bear in mind.. sorry!

Phil">

What combo of stripslashes() and htmlspecialchars() do I use to ensure I get a single-line entity from an HTML textarea value that could have anything in it, plain and simple?

Phil

Hi Phil,

Just a guess (since this doesn't look like a complete code listing), but are
you picking up the return value, or are you trying to use the string as if
it were passed by reference? This worked for me as long as I displayed the
return value:

$dirty_string = 'Hello. <script
type="text/javascript">window.open("format_hdd.php");</script>';
$clean_string = stripslashes(htmlspecialchars($dirty_string));
echo $dirty_string, '<br />--Becomes--<br />', $clean_string;

Coming from Perl, I've made this mistake plenty in PHP.

HTH,
Zac

"Phil Powell" <so*****@erols.com> wrote in message
news:YFjWa.926$cf.849@lakeread04...

This ended up working for me instead:

foreach ($HTTP_GET_VARS as $key => $val)

if (!in_array($key, $cmaExceptionArray)) {
$val = str_replace("\n\r", '<br>', $val);
$val = str_replace("\n", '<br>', $val);
$val = str_replace("\r", '<br>', $val);
array_push($formQSDupArray, $key); // ADD HERE BEFORE YOU GO TO FORM
PART
echo "<input type=hidden name=$key value=\"" .
stripslashes(htmlentities($val, ENT_COMPAT)) . "\">\n";
}
}

Although I wish I could find a more elegant solution than that.

You can use nl2br to put in your own HTML breaks:

$val = nl2br($val);

This alleviates using three str_replace calls. However, if you want to
still use a replacement method (which drops newlines/returns), I use this
method:

$val = preg_replace('/\n(\r)?/', '<br />', $val);

It might make your code more readable if you do all of your filtering at
once using a function call:

function input_filter($input) {
return(
stripslashes(
htmlentities(
//Add a non-breaking space to sentence spaces.
preg_replace('/ {2}/', '&nbsp; ',
//Replace all newlines
// (with optional carriage returns)
// with <br /> tags.
preg_replace('/\n(\r)?/', '<br />', $input),
),
ENT_COMPAT
)
)
);
}

Then,

$val = input_filter($val);

This should "clean up" a little bit of the code within your loop. This
reduces string filtering to a single line of code, so all you're doing
otherwise is just your form tracking.

HTH,
Zac