Page 1 of 1

Formatted text + database insertion/retrieval

Posted: Mon Aug 15, 2005 3:51 pm
by influx
Hey all,

I have a site similar to any other blog site, where I have a few friends coming and posting whatever they want. I found this "Rich-text Editor" online, a WYSIWYG editor for posting to their blog...and have a few questions about database input and future output.

Since the WYSIWYG editor (found here: http://www.kevinroth.com/rte/demo.htm ) is basically a bunch of HTML code...what would I need to do before inputting it into my database to be safe?

Since my php.ini has magic_quotes_gpc set to off...would I need to mysql_real_escape_string() everything going into the database? What else would I need?

Also, when retrieving the data from the MySQL database, what would I need to do to it? Do I need to use stripslashes()? I really want this to be foolproof.

BTW: the richtext editor suggested using the following function before placing formatted text into a database, should I use this or simple PHP functions instead?

Code: Select all

function RTESafe($strText)
{
	//returns safe code for preloading in the RTE
	$tmpString = trim($strText);
	
	//convert all types of single quotes
	$tmpString = str_replace(chr(145), chr(39), $tmpString);
	$tmpString = str_replace(chr(146), chr(39), $tmpString);
	$tmpString = str_replace("'", "'", $tmpString);
	
	//convert all types of double quotes
	$tmpString = str_replace(chr(147), chr(34), $tmpString);
	$tmpString = str_replace(chr(148), chr(34), $tmpString);
	//$tmpString = str_replace("\"", "\"", $tmpString);
	
	//replace carriage returns & line feeds
	$tmpString = str_replace(chr(10), " ", $tmpString);
	$tmpString = str_replace(chr(13), " ", $tmpString);
	
	return $tmpString;
}
Thanks!
-influx :lol:

Posted: Mon Aug 15, 2005 5:09 pm
by John Cartwright
Your going to want to strip out <script> tags for sure... some serious potential problems if you don't...
think about what you don't want to offer, <table>,<tr>,<td>,<img>,<bh>,<hr>,<script>

Posted: Mon Aug 15, 2005 8:39 pm
by Ambush Commander
Stack based parsers are the solution to everything. They just sure take a hell-of-a-long-time to program.

The quickest way is to whitelist certain inline level tags (i.e. <b>, <i>, <u>) and do some simple nesting checks to make sure they're not put in the wrong places.

If you want maximum flexibility, create a PHP based implementation of the XHTML DTD specification, and then strategically blacklist elements you don't want.

If you need some block level tags... well... good luck...

That's why everyone uses those "Forum Tags"... they're so much easier to deal with parser wise.