I forgot how to take a user input of HTML and make it so its safe to store it in the database, and then how to return it to HTML... Please help..
(It's too late.)
HTML Tags + MySQL Database
Moderator: General Moderators
- tecktalkcm0391
- DevNet Resident
- Posts: 1030
- Joined: Fri May 26, 2006 9:25 am
- Location: Florida
- Christopher
- Site Administrator
- Posts: 13596
- Joined: Wed Aug 25, 2004 7:54 pm
- Location: New York, NY, US
Re: HTML Tags + MySQL Database
I would recommend something like:
Code: Select all
// filtering
// limit strings to characters you will allow
$email = preg_replace('/[^a-zA-Z0-9\-\_\@\.]/', '', $_POST['email']);
// or numbers
$id = intval($_POST['id']);
// escape values before adding them to SQL
$email = mysql_real_escape_string($email);
$id = mysql_real_escape_string($id); // do this anyway in case you change id to alphanum later
$sql = "UPDATE mytable SET email='$email' WHERE id='$id'";
(#10850)
- tecktalkcm0391
- DevNet Resident
- Posts: 1030
- Joined: Fri May 26, 2006 9:25 am
- Location: Florida
Re: HTML Tags + MySQL Database
do i need to unescape the data when it comes out of MySQL? once again... its too late to try.
Re: HTML Tags + MySQL Database
No.tecktalkcm0391 wrote:do i need to unescape the data when it comes out of MySQL? once again... its too late to try.
Re: HTML Tags + MySQL Database
So is it unsafe to store pure html in databases? I'm just getting to grips with it now but have tried it on my test setup and it seems fine? (even with double quotes)
If not, does anyone have a link to an article discussing how preg_replace works when used with HTML?
Cheers
J
If not, does anyone have a link to an article discussing how preg_replace works when used with HTML?
Cheers
J
- tecktalkcm0391
- DevNet Resident
- Posts: 1030
- Joined: Fri May 26, 2006 9:25 am
- Location: Florida
Re: HTML Tags + MySQL Database
you can use html, just don't use preg_match this way... search the PHP Manual for HTML tags, cause you want to change it into a special form, and then submit it to database, then recall it later, but always uses mysql_real_escape_string() for anything submitted into the database.
- RobertGonzalez
- Site Administrator
- Posts: 14293
- Joined: Tue Sep 09, 2003 6:04 pm
- Location: Fremont, CA, USA
Re: HTML Tags + MySQL Database
Look at HTML Purifier as well. It is a little slow, but can be used to handle cleansing of HTML coming from the database. Thought cleaning it before it hits the database might be better.