Have a look here. Some interesting info in the comments:

[php.net...]

Hi, thanks.

I read that article and it seamed like it only blocked certian codes you tell it to block. But I want to block everything except a couple of codes. I kep on reding and it said something about allowed_tags() so seearched that on google and I found this code fgetss() so I wrote this:

$news = fgetss($post, '', '<p><a><img><b><br><center><font><hr><i><li><marquee><strong><sub><sup>');

I thought it would work but it didn't.

any help is needed...

thanks,
electricocean

Just remove all "<"'s from the text and all HTML and javascript are disabled.

This will encode - use of htmlentities()

function var_html_encode ($varia) {
$varia=rtrim($varia);
$varia=ltrim($varia);
$varia=str_replace("<br>","\r\n",$varia);
$varia=htmlentities($varia,ENT_QUOTES,"utf-8");
return $varia; }

This will decode - use of html_entity_decode()

function var_html_tagdecode($varia) {
$varia=html_entity_decode($varia,ENT_QUOTES);
$varia=strip_tags($varia, "<br>");
return $varia;}

Not the strip_tags function, meaning that all html elements are removed except the break element.

Hope this help.

Hi,

so if I used this code:

function var_html_tagdecode($varia) {
$varia=html_entity_decode($varia,ENT_QUOTES);
$varia=strip_tags($varia, "<br>");
return $varia;}

does $varia mean the post?

and why are all the variables nambed $varia?

if the posting is $post = $_POST['news'];
could I do this:

$post = $_POST['news'];
$post=html_entity_decode($post,ENT_QUOTES);
$vpost=strip_tags($post, "<br>");
return $post;

?

Thanks for the help,

electricocean

The examples I gave above are functions, meaning that you should type them only once, save them in an external file (e.g. called post_var_function.php) and call the file using include_once() when needed (at the top of your script).

Then, if $post = $_POST['news'];
you can just say
$post = var_html_tagdecode($_POST['news']); to DECODE
$post = var_html_encode($_POST['news']); to ENCODE

REMINDER, always encode your variable before inserting them in your database (all your text data should be encoding using the encode function). Then, to retrieve the data, you can use any decode function you have created (e.g. one removing all tags, one leaving few tags like <b>, <i>, <br>, one leaving all tags). To sum up, you should have ONE encode function and MANY decode function.

Hope this help.

I read that article and it seamed like it only blocked certian codes you tell it to block. But I want to block everything except a couple of codes.

You have it backwards - it strips everything except what you tell it not to strip. I think this is what you're looking for.

there is also the htmlspecialchars() which changes the special chars into their...oh waht do you call them.... (&lt, &gt)? Anyway this prevents featherbrains from acedently writing invalid html tags when what they want is simply to emphasise text.

you can then use ereg_replace(item to be replaced, replaced with, $string)

you can then make up your own tags

ex.
$string='(link)www.nowhere.com(/link)'
ereg_replace('(link)', '<a href="',$string)
ereg_replace('(/link)', '">',$string)

you may have to escape some of the charicter with \\. I still have trouble with escaping charicters.

- htmlspecialchars() or htmlentities() will transform the HTML so that it presents as text, so you see <b>bold</b> instead of bold.

- strip_tags will remove the HTML entirely except for the tags that you specify in the "allowed tags" list.

Thaks for all the posts... it now works... YAY!

I was also wondering if the user skips a line in the post, and it atoumatically become <br> like in the webmasterworld posts.

thanks,
electricocean

the line breaks can be created with the nl2br() function.

so my new code would be:

$post = $_POST['news'];
$strip = strip_tags($post, '<a><img><b><br><center><font><hr><i><li><marquee><strong><sub><sup>');
$news = nl2br($strip);

is this correct?

electricocean

Yes that code works thanks guys