HTML Tags + MySQL Database

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
User avatar
tecktalkcm0391
DevNet Resident
Posts: 1030
Joined: Fri May 26, 2006 9:25 am
Location: Florida

HTML Tags + MySQL Database

Post by tecktalkcm0391 »

I forgot how to take a user input of HTML and make it so its safe to store it in the database, and then how to return it to HTML... Please help..

(It's too late.)
User avatar
Christopher
Site Administrator
Posts: 13596
Joined: Wed Aug 25, 2004 7:54 pm
Location: New York, NY, US

Re: HTML Tags + MySQL Database

Post by Christopher »

I would recommend something like:

Code: Select all

// filtering
// limit strings to characters you will allow
$email = preg_replace('/[^a-zA-Z0-9\-\_\@\.]/', '', $_POST['email']);
// or numbers
$id = intval($_POST['id']);
 
// escape values before adding them to SQL
$email = mysql_real_escape_string($email);
$id = mysql_real_escape_string($id);    // do this anyway in case you change id to alphanum later
$sql = "UPDATE mytable SET email='$email' WHERE id='$id'";
 
(#10850)
User avatar
tecktalkcm0391
DevNet Resident
Posts: 1030
Joined: Fri May 26, 2006 9:25 am
Location: Florida

Re: HTML Tags + MySQL Database

Post by tecktalkcm0391 »

do i need to unescape the data when it comes out of MySQL? once again... its too late to try.
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Re: HTML Tags + MySQL Database

Post by Mordred »

tecktalkcm0391 wrote:do i need to unescape the data when it comes out of MySQL? once again... its too late to try.
No.
spgkr
Forum Newbie
Posts: 1
Joined: Sat Apr 05, 2008 5:09 pm

Re: HTML Tags + MySQL Database

Post by spgkr »

So is it unsafe to store pure html in databases? I'm just getting to grips with it now but have tried it on my test setup and it seems fine? (even with double quotes)

If not, does anyone have a link to an article discussing how preg_replace works when used with HTML?

Cheers

J
User avatar
tecktalkcm0391
DevNet Resident
Posts: 1030
Joined: Fri May 26, 2006 9:25 am
Location: Florida

Re: HTML Tags + MySQL Database

Post by tecktalkcm0391 »

you can use html, just don't use preg_match this way... search the PHP Manual for HTML tags, cause you want to change it into a special form, and then submit it to database, then recall it later, but always uses mysql_real_escape_string() for anything submitted into the database.
User avatar
RobertGonzalez
Site Administrator
Posts: 14293
Joined: Tue Sep 09, 2003 6:04 pm
Location: Fremont, CA, USA

Re: HTML Tags + MySQL Database

Post by RobertGonzalez »

Look at HTML Purifier as well. It is a little slow, but can be used to handle cleansing of HTML coming from the database. Thought cleaning it before it hits the database might be better.
Post Reply