I’ve been doing an awful lot of string manipulation while creating the Spyda content management system (working title theKore) so I thought I would make todays article about the PHP functions I use most regularly for cleaning up and manipulating content entry.
strip_tags
First up and I would say the most important for content entry that you are not responsible for.
Not using this function to clean the input is just asking for someone to destroy your site in one go. Any amount of malicious code can be hidden within content entered, leaving the PHP and HTML tags in the string allows someone to simply add links to spam sites in comment forms or at the worst to fire code and possibly hack your database or just drop it completely!
<?php
$string = '<p>This is a comment with a nasty link. <a href="www.nasty.com" title="Nasty Nasty Link">I am a nasty link to stuff you might like to see.</a></p>';
echo strip_tags($string);
?>
This will echo
This is a comment with a nasty link.
The benefits of this function are so apparent I use it on every piece of user entered text, I don’t even have to worry about actual html code entered as you can provide a string of tags to allow through
the clean up process if the situation requires it.
<?php $string = '<p>This is a comment with a link and a frame <a href="/show_stuff" title="See my stuff">See my Stuff</a><frame src="www.nasty.com/evil_nasty_frame.html"></p>'; echo strip_tags($string, '<p><a>'); ?>
This will echo
<p>This is a comment with a link and a frame <a href="/show_stuff" title="See my stuff">See my Stuff</a></p>
explode
This function will take a string and split it into seperate array items.
I use explode when setting up form inputs for the user to enter. Using this method I can add add my own tags into my HTML and using strings and the explode function I can find out specific values.
<?php
$string = '<tag name="inputname" description="This_is_an_input" type="inputbox" />';
$tag = explode(' ',$string);
print_r($tag);
?>
This will echo something like
array()
[0] => tag
[1] => name="inputname"
[2] => description="This_is_an_input"
[3] => type="inputbox"
[4] => />
With a little bit more work you can turn this into an array of variables for use anytime.
strpos
Using a small function utilisting strpos I can remove parts of the string I will know will be there. Strpos does not remove the parts of the string, it only serves to provide the positions of the speech marks so I know where to chop the string, additional code is needed to remove the parts I do not want.
Taking the above $tags example. If I wanted to remove any text that is not in between speech marks I would use the following code.
<?php
foreach($tag as $string_to_check)
{
echo formTags($string_to_check) . '<br />';
}
function formTags($line)
{
//find the position of the first speech mark
$pos = strpos($line, '"');
//increase that position by one to include the speech mark
$pos += 1;
//find the position of the second speech mark
$pos2 = strrpos($line, '"');
//include the speech mark
$pos2 -=1;
//finally remove parts of the string and return
$last = substr($line, $pos, $pos2-$pos1);
return(substr($last, 0, -1));
}
?>
I won’t explain the last part properly yet but the final result would be
<tag inputname This_is_an_input inputbox />
Just to note the use of the string function strrpos which does the same job as strpos only from the end of the string not the beginning.
substr
This function seems complicated but it isn’t. It’s just a case of getting the maths right and with a little experimentation you can use it to remove any part of a string you wish.
As you can see from the strpos example above I have used strpos to calculate the positions of any speech marks in the variable passed to it. I can then, as I said before, use that to remove the parts of the string I do not wish to have anymore.
<?php
//rest of function removed for emphasis
$last = substr($line, $pos, $pos2-$pos1);
return(substr($last, 0, -1));
?>
The first line doesn’t exactly remove the unwanted content…it returns the bits we want to keep. So in the case of $tag[1], which equals the string ‘name=”inputname”‘
<?php
$line ='name="inputname"';
//$pos is the position of the first speech
//$pos2 is calculated using strrpos which as stated before works from the end of the string
//Once we have the first and last positions of the speech marks we can use those values to work out how much of the string to return
//$last = 'inputname"'
$last = substr($line, $pos, $pos2-$pos1);
//The last line returns the final value of $last with the last character removed (the negative value for length removes characters from the end of the string)
//$last = 'inputname'
return(substr($last, 0, -1));
?>
creating this I realised that if i did a simple calculation on $pos2 I could remove the need for the final substr to remove the last speech mark
<?
//find the position of the first speech mark
$pos = strpos($line, '"');
//increase that position by one to include the speech mark
$pos += 1;
//find the position of the second speech mark
$pos2 = strrpos($line, '"');
//include the speech mark
$pos2 -=1;
//this line lowers the length of the string by 1 character thus removing the last speech mark
$pos3 = ($pos2-$pos1) - 1;
//finally remove parts of the string and return
$last = substr($line, $pos, $pos3);
return($last);
?>
Ok final one and most fun
str_replace
I use this string to remove the underscores in multiple words entries in tag descriptions so the explode on a space does not give me an array item for every word in the description.
All the function needs is a string, a character/s to look for and what to replace it with, so to remove my underscores the code is
<?
$string = 'This_is_an_input';
echo str_replace('_', ' ', $string);
?>
The result is
This is an input
You could of course use this for all kinds of nasty purposes like changing all occurances of the letter ‘e’ in a string for the word ‘chicken’. Of course you could just use it as a profanity removal tool.
This is by no means an exhaustive list of string functions in PHP. Some are useful, some are just downright weird (str_shuffle). If this fired thoughts of “Oh I could use that for…” in your head then I would strongly recommend you check out the PHP.net site for all you can do with strings.
P.S. Does anyone have a clue on what you could use str_shuffle for except an anagram program?
Recent Comments