OK well I wanted to add some BBCode to my website but I ran into trouble. At first I was useing str_replace() but that does not work if I am trying to make the   code. I think I would use preg_match but I am real confused. Could someone post the source code to make:
  Into:

Also how would I make the code tag so it would replace all [ and ] withen the two strings with &#91 and &#93 example would print the html
Do you get what I am trying to do?
Thanks,
Sparkx
Note: I had to take out some letters in the code above because this forum looked at them wrong.

This post has been edited by sparkx: Aug 20 2007, 03:27 PM

Well, for the url one, I think you could do this: (Where $string is the text you're converting to bbcode)

This gets the text and url from the bbcode, then puts it into an <a> tag.

Looks like it would work but I dont know much about the explode function. The one thing that I see that worries me a little is that ] is being used sepuratly. The question I have is if ] is used incorrectly will it still be recoginized in this str_replace? Example: [url=http://www.example.php" target="_blank] now the replace would look like: <a href="http://www.example.php" target="_blank"> will this cause the ability to inject stuff into the tag? It could be bad if they used " or > would there be a way to replace all " and > in the $url tag without messing up any possible urls? Also will this work multiple times lets say the tag is used more then once? If the URL tag works I dont see why I couldn't do the same with the [cod][/cod] tag and running a string replace for [ and ] for the section inside. Im sorry if I am asking too many questions but I dont want to end up like PHPBB with security holes everywhere.
Thanks for the help,
Sparkx

Well, what you could do is check for an occurence of " in the bbcode, and then tell them that they used an invalid character?

OK so it is secure apparently. Just wanted to make sure. If you dont mind I have anouther related question.
Well on some browsers you dont neccissarly need " in tags to make them valid. I know for some browsers <font color=#00FF00> ect is a valid tag. The point I was trying to make is if there is a way to check the URL for if it is valid and is not added onto (injection ect)? I know you can get php to check an image for size ect. Is PHP also able to check a url for valid? What I was thinking was if the URL was invalid or was a .exe ect url that downloads something it would be replaced with Invalid URL rather then <a href=... That could be done if the check would produce true then just run a simple if($var==true){ tag. Do you get what I am saying? Check if a URL is .html or .php just like you can check an image for if it is .gif or .jpg ect.
Thanks again for the help. I know this question could be under a new Topic but I dont see why making more topics for related question.
Sparkx

I think the best and most common method is to use regular expressions. Using regular expressions allows you to match a wider variety of patterns. If you only use str_replace, then if the user makes a mistake in the BBC or the BBC contains something you weren't expecting, you could get a lot of errors.

For example, here is some BBC for URL using regular expressions:

See, instead of replacing a part of the BBC, the entire tag is replaced and selected parts of the tag is reinserted into the new string. The first pattern is actually composed of 5 sub-patterns:
(\[url=) - First, the string must start with "[ur..."
([^\]]*?) - Second, match everything after that up to but not including "]" - This is the "http..."
(\]) - Third, find the end bracket for the opening tag.
(.*?) - Fourth, Match everything here until the next sub-pattern. - This is the "Handy PHP"
(\[/url\]) - Fifth, find the closing tag for the BBC.

Now, the replacements include back references to parts of the original string. For example, ${2} means use the second sub-pattern match from the original string which is http://www.handyphp.com.

Since you are matching a full string instead of pieces and parts of a string, you can better control how the output will be formated. While this pattern doesn't tackle the issue of single, double, or no quotes being used by the user, it could be easily modified to do so.

See this new version that looks for single and double quotes:


You may have noticed that I use arrays for both pattern and replace. preg_replace will cycle through each array item in $pattern and replace it with the corresponding item from $replace. You should also see that I have 2 different patterns and 2 different matches. This is because of the 2 different methods that the URL BBC can usually be implemented. The first should always be the more specific pattern followed by the more general. Since the link with a a name is a more complex string, the pattern for it has to be more specific.

Due to the complexity of regular expressions, many newer programmers have a lot of trouble figuring out how to use them. In fact, I still learn new things every time I try to use regular expressions. I depend a lot on trial and error. The above examples are not quite as optimized as they could be but these are the easiest to understand examples I could come up with. For example, since you only need 2 back references in this example, it isn't really necessary to have everything broken down into sub-patterns. Only that which you want to back reference needs to be sub-patterned.

I recommend that you do more research into regular_expression. Here is a good place to learn: http://www.ilovejackdaniels.com/cheat-shee...ns-cheat-sheet/
In general, that is a fantastic website for web developers. I printed a number of the full color cheat sheets onto glossy double sided photo paper.

As for checking for injections, you can reject urls the end with ".exe" if you want. It just requires you to adjust the regular expression to "NOT" match the BBC if it contains a link with .exe at the end. Or you could replace offensive links with some other string which is easier and will cover all links in the input and not just the once in BBC.

I hope this helps
vujsa

Great mini-tutorial on regular expression and their use with BBCode. This is very useful when creating web sites with user input and I am sure lots of people will benefit from it

I would like to present another option for you here...

You could always use a bbcode engine from forum or blogging software if your website has those on them...it would be as simple as including the files necessary to have the functions to parse bbcode (just make sure you don't violate any copyright restrictions there, and that you give proper credit).

But that is what I have done with my website and it seems to work really well for me....

That is an excellent idea Brian. Not only does this give you more time to develop other aspects of your website, it also guarantees that the BBC will be the same on the entire website. Not to mention, if your forum or blog has developed it already, it probably doesn't have any bugs in it.

Come to think of it, I have a section on my website I might try this with. I don't particularly like the BBC used on my forum but at least it would add consitancy to the website if I used it in the other section. Of course, at some point in time, I have to "customize" the BBC in my forum.

vujsa

Thanks for the tutorial. Sorry for the late reply but at the time I didn't see a big need to reply. I used the preg-replace and I have been working with it a lot. I just has a quick additional question. Is it possible (like above) to set a variable to the BBCode? I would like to do something like the following:
I don't know if you can understand that but basicly what I want is to replace < and > with the HTML version of < and > for everything between [bbcode] and [/bbcode]. What I want is just like the [ code ] [/ code ] function on this BB.
Thanks again for all the help and the link,
Sparkx