I have CKEditor embedded in my page. I need to prevent plain whitespaces and breaklines that doesn't come with any characters. There must be at least one actual visible character.
The following answer is totally not consistent, sometimes it works fine and sometimes it does nothing, it allows whitespaces:
if(!empty($_POST['rtxt_article']))
{
if (trim(strip_tags($_POST['rtxt_article']))) {
// do something
}
else
{
//ops! please fill in data
}
}
else
{
//ops! please fill in data
}
I also tried this:
$plainText = strip_tags($_POST['rtxt_offer']);
$isNotEmpty = trim($plainText);
if($isNotEmpty)
{
//do something
}
When the above snippet doesn't have effect anymore, i put ! sign and the snippet works again. After a while, the snippet doesn't work until i remove ! and vice versa. Totally inconsistent. This is how i put !:
if(!$isNotEmpty) ...
if (!trim(strip_tags($_POST['rtxt_article']))) ...
Any idea? Any other solution?
Give this a shot. It will first check to see if their is actually input but using the empty() function. With adding the ! to empty() what happens is that the if statement is being asked if $_POST['rtxt_article'] is NOT empty, meaning that there is at least once character in it.
if (!empty($_POST['rtxt_article']) && trim(strip_tags($_POST['rtxt_article']))) {
// do something
}
If for some reason it is still being passed with the new line character, then you could scrub the $_POST var first.
edited:
$var = trim($_POST['rtxt_article']);
if (!empty($var)) {
// do something
}
Related
I am maintaining the code from another developer, and I just found this code in the source code if his files:
function update($set, $args)
{
;
if(!empty($args))
{
if(!empty($args['id']))
{
$id = $args['id'];
return update_post_meta($id, '_quizdata', $set);
}
}
return false;
}
As you can see, in line three there is a greek questionmark. This question mark can have any special meaning or can harm the code somehow ?
Is the first time I see something like that. Also, I do not get any error in my error logs, but I don't even know, if this code is executed in order to produce any error.
Kind regards
Nothing, is a simple empty statement
Hi I have a PHP variable called Keyword, what I am trying to find out is if there is any content in the variable.
if (isset($keyword)) {
Using the above code it returns values that are blank.
Use empty():
if (isset($keyword) && !empty($keyword)) {
Use this:
if (!empty($keyword)) {
try
trim($keyword);
if (isset($keyword) && !empty($keyword)) {
// Code here
}
Edit:
This fixed your problem because you had trailing whitespace in your variable. even though it appeared empty it still had a space or carriage return.
I am creating a validation script which is way more advanced than this little section, I am just printing the specific part I am having issues with.
The script simply takes in a single dimensional array with a list of settings, performs required tests and spits out a multidimensional array with the required string, all clean free of badness.
For some reason the trim() strip_tags() strip_html_tags() functions are working but failing at the same time. By this I mean the string is passed through the functions and showing as clean but the built-in PHP functions aren't working as expected.
The question is do the built in functions only work on text that is directly output to the user or should the functions work pre output ie as it is being output not while being stored in a database?
I'm looking to strip all script tags as the user inputs so I only have the plain text.
I was wanting to use a switch with each statement which I have the functions below are snippets from switch statements.
What I am trying to use which doesn't work as expected.
function check_input1($input)
{
if(trim($input))
{
$cleaninput[$i][$input] = 'CLEAN';
}else
$cleaninput[$i][$input] = 'DIRTY';
}
function check_input2($input)
{
if(strip_tags($input))
{
$cleaninput[$i][$input] = 'CLEAN';
}else
$cleaninput[$i][$input] = 'DIRTY';
}
function check_input3($input)
{
if(strip_html_tags($input))
{
$cleaninput[$i][$input] = 'CLEAN';
}else
$cleaninput[$i][$input] = 'DIRTY';
}
What I know works directly output in html elements.
strip_tags(trim($key))
strip_tags(trim($value))
The question is do the built in functions only work on text that is directly output to the user or should the functions work pre output ie as it is being output not while being stored in a database?
The functions in question work on any string. There is no different between a string destined for the database vs a string destined for stdout.
Your problem is that you seem to be expecting the functions to return true/false, as some kind of indication that they found something to strip. That's not how they work. They return the modified string. Every single if condition will enter the CLEAN section (assuming its function doesn't return ""), and silently throw away the cleaned string which was returned by the function.
What you want is something like this:
function check_input3($input)
{
$output = strip_html_tags($input);
if ($output == $input) {
// strip_html_tags didn't remove anything
$cleaninput[$i][$input] = 'CLEAN';
} else {
// variables differ, so strip_html_tags found something to remove
$cleaninput[$i][$input] = 'DIRTY';
}
}
For others reference you might want to consider the inspekt php4 and 5 framework for input validation funded by OWASP code.google.com/p/inspekt/wiki/DocsAndSupport provides a firewall type scenario between the input and output...nice little tutorial here codediesel.com/php/data-filtering-and-validation-using-inspekt
Usually I use trim() PHP function to check, if data is not empty. Also for MySQL I use mysql_real_escape_string(). Is this enough,or do I need to perform additional checks?
To check if data is "empty", you can use empty().
Yes, to escape data you use mysql_real_escape_string() for MySQL. By default, trim() is used to trim trailing and leading whitespace, if used without additional parameters.
Is it so hard to check on manual what each function does?
I usually do this:
$foo = isset($_POST['bar']) ? trim($_POST['bar']) : '';
if (!empty($foo))
$db->query("UPDATE table SET foo = '".mysql_real_escape_string($foo)."'");
if (!empty($_POST['data']) && other controls) {
// Success
$data = mysql_real_escape_string($data)
$sql = "SELECT * FROM users WHERE data = '$data'";
mysql_query($sql);
}
I tend to use isset($_POST['key1'], $_POST['key2'], $_POST['keyn']) as a starting point for determining if a form has had all required data submitted, along with testing things such as $_SERVER['REQUEST_METHOD'], $_SERVER['SERVER_PORT'], $_SERVER['REQUEST_URI']. Trimming is not harmful, but I just go for the jugular with preg_match($needle, $haystackenter) and make the regular expression non-greedyand non-buffer capturing. In short, why condition input when you can just make the test fail to being with?
The language construct empty() works, but does it really matter if the value doesn't match the pattern you are looking for? As for performance, who can say if someone copied and pasted the Oxford English Dictionary what would happen in either case.
function ValidatePostKeyAndValue($input, $pattern, $length)
{
if(isset($input) &&
preg_match($pattern, $input) &&
ctype_print($input) &&
strlen($input) <= $length &&
is_string($input))
{
return true;
}
else
{
return false;
}
}
I could do more or less, depending on the situation. Boolean functions are your friends.
As far your $data variable, I think it would be wise to consider if the wildcards _ and % might appear in your data. If so, addcslashes() can be used to target those characters in your string. Over all though, moving to mysqli() will save you from having to use mysql_select_db(). mysqli_connect() does this for you! Well worth the switch.
basically, what i want to know is, for the second parameter in the create_function function, is there anyway to pass a string without a semicolon? or will it not work.
example:
taken from php.net
create_function('$a,$b', 'return "CRCs: " . crc32($a) . " , ".crc32(b);'),
notice that there is a semicolon in the string. is there any possible way someone can enter a function without a semicolon that will still run/evaluate?
With create_function() you're creating an anonymous function. The second parameter is a string that is the code of the function (like any other function you'd write). It doesn't have to end in a semicolon, for example:
$coolfunction = create_function('$thing', 'if ($thing > 0) {return "Yes"; } else { return "no!"; }');
echo $coolfunction(1) . ' and ' . $coolfunction(-1);
Ends in a '}' and prints out: Yes and no!
No it is not possible. PHP is semicolon-sensitive, that you must use it to terminate every statements before right braces. I even tried regular function like this:
function f() {
return 1
}
and it spitted out a syntax error, unlike in JavaScript.
You should always sanitize any user input before using it.
I suggest that you look for the semicolon in the user input, if it is missing, append it.
If the user can enter anything here you still have a problem if he enters an invalid function name or just rubbish.
You can validate with preg_match() (although I'm not an expert on preg so I will let someone else help you out there).
First, why do you need that ? That's a really dirty way to create a function. Hope because you want to make a interface where people can directly create a function (and this will be only for you or it'll be a big security issue). I don't really get how you want to use that.
Anyway, for you question, you don't have to care if it's working or not. I mean, just test if it's working, if not just put by yourself a semicolon. It's just a simply test on a string.