Formatted text + database insertion/retrieval

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
influx
Forum Commoner
Posts: 31
Joined: Fri Aug 05, 2005 9:28 am

Formatted text + database insertion/retrieval

Post by influx »

Hey all,

I have a site similar to any other blog site, where I have a few friends coming and posting whatever they want. I found this "Rich-text Editor" online, a WYSIWYG editor for posting to their blog...and have a few questions about database input and future output.

Since the WYSIWYG editor (found here: http://www.kevinroth.com/rte/demo.htm ) is basically a bunch of HTML code...what would I need to do before inputting it into my database to be safe?

Since my php.ini has magic_quotes_gpc set to off...would I need to mysql_real_escape_string() everything going into the database? What else would I need?

Also, when retrieving the data from the MySQL database, what would I need to do to it? Do I need to use stripslashes()? I really want this to be foolproof.

BTW: the richtext editor suggested using the following function before placing formatted text into a database, should I use this or simple PHP functions instead?

Code: Select all

function RTESafe($strText)
{
	//returns safe code for preloading in the RTE
	$tmpString = trim($strText);
	
	//convert all types of single quotes
	$tmpString = str_replace(chr(145), chr(39), $tmpString);
	$tmpString = str_replace(chr(146), chr(39), $tmpString);
	$tmpString = str_replace("'", "'", $tmpString);
	
	//convert all types of double quotes
	$tmpString = str_replace(chr(147), chr(34), $tmpString);
	$tmpString = str_replace(chr(148), chr(34), $tmpString);
	//$tmpString = str_replace("\"", "\"", $tmpString);
	
	//replace carriage returns & line feeds
	$tmpString = str_replace(chr(10), " ", $tmpString);
	$tmpString = str_replace(chr(13), " ", $tmpString);
	
	return $tmpString;
}
Thanks!
-influx :lol:
User avatar
John Cartwright
Site Admin
Posts: 11470
Joined: Tue Dec 23, 2003 2:10 am
Location: Toronto
Contact:

Post by John Cartwright »

Your going to want to strip out <script> tags for sure... some serious potential problems if you don't...
think about what you don't want to offer, <table>,<tr>,<td>,<img>,<bh>,<hr>,<script>
User avatar
Ambush Commander
DevNet Master
Posts: 3698
Joined: Mon Oct 25, 2004 9:29 pm
Location: New Jersey, US

Post by Ambush Commander »

Stack based parsers are the solution to everything. They just sure take a hell-of-a-long-time to program.

The quickest way is to whitelist certain inline level tags (i.e. <b>, <i>, <u>) and do some simple nesting checks to make sure they're not put in the wrong places.

If you want maximum flexibility, create a PHP based implementation of the XHTML DTD specification, and then strategically blacklist elements you don't want.

If you need some block level tags... well... good luck...

That's why everyone uses those "Forum Tags"... they're so much easier to deal with parser wise.
Post Reply