I basically trying to capture the input information then print the on the screen. Noted, that I must implement filter input and escape output. Please checked whether this result is correct:

receive.php

<html>

<?php

$nama = isset($_POST['nama']) ? $_POST ['nama'] : '';
$color =  isset($_POST['color']) ? $_POST ['color'] : '';


$newnama = htmlspecialchars($nama, ENT_QUOTES);
$newcolor =  htmlspecialchars($color, ENT_QUOTES);


RemoveBad($newnama);
RemoveBad($newcolor);

// filter input

function RemoveBad($strTemp) { 
    $strTemp = $strTemp.replace("/<|>|||%|;|(|)|&|+|-/g","");
    return $strTemp;
} 

?>

<h1> Print Output </h1>
Nama  :  <?php echo $newnama ?>
Color   :  <?php echo $newcolor ?>

</html>




Fatal error: Call to undefined function replace() in C:xampphtdocsphp_exercisereceive.php on line 19
line 19:     $strTemp = $strTemp.replace("/<|>|||%|;|(|)|&|+|-/g","");
Member Avatar
diafol

use preg_replace. .replace is js. Also I think you need to do this:

$newnama = RemoveBad($newnama);
$newcolor = RemoveBad($newcolor);

Otherwise you're just returning the operation to nothing.

Warning: preg_replace() expects at least 3 parameters, 2 given in C:\xampp\htdocs\php_exercise\receive.php on line 19

Hi, I have modified line 19 to:

$strTemp = $strTemp.preg_replace("/\<|>|\|\|\%|\;|(|)|\&|+|-/","", $strTemp);

I tested the program :

<html>
Spoofed Form Security
<form action="receive.php" method="POST">
Nama:
<input type="textbox" name="nama"></br>
Warna Favorit: <select name="color">
<option value="red">red</option>
<option value="green">green</option>
<option value="blue">blue</option>
</select>
<input type="submit">
</form>

Nama: fasfasd(
Warna: red

Output: Nama : sdfsdfsd(sdfsdfsdColor : redred

It suppose to delete the ( sign and all others strange sign. How ?

( and ) are special characters, you need to escape them with a backslash.

where to place the backslash ? before which codes ?

Before the parenthesis.

I still do not understand. can you copy my codes and show me where exactly to place the backslash? you mean like this:

$strTemp = $strTemp.replace
/ ("/<|>|||%|;|(|)|&|+|-/g","");

$strTemp = preg_replace('/<|>|\||%|;|\(|\)|&|\+|-/i', '', $strTemp);