136 P l u g - i n P H P : 1 0 0 P o w e r S o l u t i o n s 136 P l u g - i n P H P : 1 0 0 P o w e r S o l u t i o n s You must also remember that this plug-in provides support for BB Code but does not reject HTML code. For that, you need to first run inputted text through functions to strip out HTML and JavaScript, which would probably look like this: $text = htmlentities(strip_tags($text)); The strip_tags() function removes all HTML tags from a string, and htmlentities() turns all quotation marks and other punctuation into harmless entities that will be displayed and not acted upon. The Plug-in function PIPHP_BBCode($string) { $from = array('[b]', '[/b]', '[i]', '[/i]', '[u]', '[/u]', '[s]', '[/s]', '[quote]', '[/quote]', '[code]', '[/code]', '[img]', '[/img]', '[/size]', '[/color]', '[/url]'); $to = array('<b>', '</b>', '<i>', '</i>', '<u>', '</u>', '<s>', '</s>', '<blockquote>', '</blockquote>', '<pre>', '</pre>', '<img src="', '" />', '</span>', '</font>', '</a>'); $string = str_replace($from, $to, $string); $string = preg_replace("/\[size=([\d]+)\]/", "<span style=\"font-size:$1px\">", $string); TABLE 6-1 List of BB Codes Supported by plug-in 39 Opening BB Code Closing BB Code Action [b] [/b] Bold face on and off [i] [/i] Italics on and off [u] [/u] Underline on and off [s] [/s] Strikethrough on and off [quote] [/quote] Blockquote on and off [code] [/code] Preformatted text on and off [img]url [/img] Start and end of an image URL [url]url [/url] Start and end of a hyperlink [url=url]text [/url] Start and end of a hyperlink (display text not url) [size=??] [/size] Font size = ?? and End font size [color=??] [/size] Font color = ?? and End font color C h a p t e r 6 : F o r m s a n d U s e r I n p u t 137 C h a p t e r 6 : F o r m s a n d U s e r I n p u t 137 $string = preg_replace("/\[color=([^\]]+)\]/", "<font color='$1'>", $string); $string = preg_replace("/\[url\]([^\[]*)<\/a>/", "<a href='$1'>$1</a>", $string); $string = preg_replace("/\[url=([^\]]*)]/", "<a href='$1'>", $string); return $string; } Pound Code BB Code is all well and good but in my opinion it makes for a lot of typing of square brackets. So I invented a sleeker and simpler code called Pound Code (or Hash Code outside of the USA). With it you don’t need to surround a code with brackets. Instead, you just type a # symbol followed by the action you want to achieve, and the plug-in works out the rest for you. Figure 6-10 shows the result. About the Plug-in This plug-in accepts a string containing Pound Code and returns it translated into safe HTML. It takes this argument: • $text The string to translate Variables, Arrays, and Functions $names Array containing the supported short font names $fonts Array containing the HTML long names of $names $to Array containing the strings required to translate the short font codes to HTML How It Works This plug-in performs in a similar way to the BB Code plug-in but starts off by offering nine different font styles. It takes the short codes in $names and, using the long names of each stored in $fonts, creates <font face='fontname'> strings for all of them using FIGURE 6-10 Pound Code is easier than BB Code and offers more flexibility. 40 138 P l u g - i n P H P : 1 0 0 P o w e r S o l u t i o n s 138 P l u g - i n P H P : 1 0 0 P o w e r S o l u t i o n s a for loop to iterate through them, placing the results in the array $to. Then the function str_ireplace() is called to replace all occurrences found, regardless of whether they are in upper- or lowercase. Afterward, it uses the preg_replace() function four times to perform the more complex translations: • Converts any #b-, #i-, #u- or #s- codes into </b>, </i>, </u>, or </s> • Converts any #b, #i, #u or #s codes into <b>, <i>, <u>, or <s> • Converts any of #1 to #7 into <font size='1'> through <font size='7'> • Converts any other #code into <font color='code'> Finally, any instances of #- are translated into </font>. Then, with all translations completed, the modified string is returned. If no modifications were made, the original string is returned. How to Use It To use this plug-in, just pass it the code that needs to be translated. If it includes any Pound Code, the returned result will be modified accordingly, otherwise it will be the same as the original. In the following example, $string is populated with some text and Pound Code, and then passed to the plug-in: $string = <<<_END This is a test of #comicPound Code#- #2Size 2#- #4Size 4#- #6Size 6#- #iitalic#i- #red#bbold red#b-#- #uunderline#u- #sstrikethrough#s- _END; echo PIPHP_PoundCode($string); The list of Pound Codes supported by this plug-in and the actions they perform are shown in Table 6-2. If your users are new to it, you might wish to copy this table to your web site. Note that I have deliberately not offered the facility for users to include either image or hyperlink URLs, and that’s for very good security reasons. Based on many years of experience in writing chat room software, you’d be amazed how often programmers put things in GET requests (tails of posted data appended to URLs, also known as a query string) thinking only the user can see them. This can sometimes even include password or other login details! The problem with this is that if you allow an image to be displayed on that web site from a third-party server, then the current page’s URL will be sent to the other server where it can be saved in the log files. The same goes for any users clicking links to third-party sites: The full details of the page they are on will be sent to the other server by their browser and C h a p t e r 6 : F o r m s a n d U s e r I n p u t 139 C h a p t e r 6 : F o r m s a n d U s e r I n p u t 139 if either of these includes login details or a session ID embedded in a GET query string, the other server will gain access to it. So, if your site uses GET requests, the proper way to do this is to write a routine to retrieve the image from the other server and then display it from a local cache on your own server without any GET query string appended to the URL. While for URLs, you should create a redirection link on your web site and send your users off via that, also ensuring there is no GET query string. This is one reason why (apart from the fact that I wrote it and think it’s easier to use) I would generally recommend Pound Code over BB code. In a similar way to the previous one, this plug-in does not reject HTML code, and so you will probably first want to run inputted text through functions to strip out HTML and JavaScript such as these: $string = htmlentities(strip_tags($string)); The strip_tags() function removes all HTML tags from a string, and htmlentities() turns all quotation marks and other punctuation into harmless entities that will be displayed and not acted upon. The Plug-in function PIPHP_PoundCode($text) { $names = array('#georgia', '#arial', '#courier', '#script', '#impact', '#comic', '#chicago', '#verdana', '#times'); $fonts = array('Georgia', 'Arial', 'Courier New', 'Script', 'Impact', 'Comic Sans MS', 'Chicago', 'Verdana', 'Times New Roman'); $to = array(); Opening # Code Closing # Code Action #b #b- Bold face on and off. #i #i- Italics on and off. #u #u- Underline on and off. #s #s- Strikethrough on and off. #font #- Change to the font name provided (out of #arial, #chicago, #comic, #courier, #georgia, #impact, #script, #times and #verdana). The #- code reverts to the previous font. #color #- Change to any legitimate HTML color name (such as #red or #purple, etc.). The #- code reverts to the previous font color. #1 - #7 #- Change to an HTML font size between 1 and 7. The #- code reverts to the previous font size. TABLE 6-2 List of Pound Codes Supported by plug-in 40 140 P l u g - i n P H P : 1 0 0 P o w e r S o l u t i o n s for ($j = 0 ; $j < count($names) ; ++$j) $to[] = "<font face='$fonts[$j]'>"; $text = str_ireplace($names, $to, $text); $text = preg_replace('/#([bius])-/i', "</$1>", $text); $text = preg_replace('/#([bius])/i', "<$1>", $text); $text = preg_replace('/#([1-7])/', "<font size='$1'>", $text); $text = preg_replace('/#([a-z]+)/i', "<font color='$1'>", $text); $text = str_replace('#-', "</font>", $text); return $text; } . achieve, and the plug- in works out the rest for you. Figure 6-10 shows the result. About the Plug- in This plug- in accepts a string containing Pound Code and returns it translated into safe HTML plug- in performs in a similar way to the BB Code plug- in but starts off by offering nine different font styles. It takes the short codes in $names and, using the long names of each stored in. string to translate Variables, Arrays, and Functions $names Array containing the supported short font names $fonts Array containing the HTML long names of $names $to Array containing the strings