Page 1 of 1
HTML Tags + MySQL Database
Posted: Sat Feb 16, 2008 12:33 am
by tecktalkcm0391
I forgot how to take a user input of HTML and make it so its safe to store it in the database, and then how to return it to HTML... Please help..
(It's too late.)
Re: HTML Tags + MySQL Database
Posted: Sat Feb 16, 2008 9:36 am
by Christopher
I would recommend something like:
Code: Select all
// filtering
// limit strings to characters you will allow
$email = preg_replace('/[^a-zA-Z0-9\-\_\@\.]/', '', $_POST['email']);
// or numbers
$id = intval($_POST['id']);
// escape values before adding them to SQL
$email = mysql_real_escape_string($email);
$id = mysql_real_escape_string($id); // do this anyway in case you change id to alphanum later
$sql = "UPDATE mytable SET email='$email' WHERE id='$id'";
Re: HTML Tags + MySQL Database
Posted: Sat Apr 05, 2008 12:41 am
by tecktalkcm0391
do i need to unescape the data when it comes out of MySQL? once again... its too late to try.
Re: HTML Tags + MySQL Database
Posted: Sat Apr 05, 2008 2:58 pm
by Mordred
tecktalkcm0391 wrote:do i need to unescape the data when it comes out of MySQL? once again... its too late to try.
No.
Re: HTML Tags + MySQL Database
Posted: Sat Apr 05, 2008 5:15 pm
by spgkr
So is it unsafe to store pure html in databases? I'm just getting to grips with it now but have tried it on my test setup and it seems fine? (even with double quotes)
If not, does anyone have a link to an article discussing how preg_replace works when used with HTML?
Cheers
J
Re: HTML Tags + MySQL Database
Posted: Thu Apr 10, 2008 6:22 pm
by tecktalkcm0391
you can use html, just don't use preg_match this way... search the PHP Manual for HTML tags, cause you want to change it into a special form, and then submit it to database, then recall it later, but always uses mysql_real_escape_string() for anything submitted into the database.
Re: HTML Tags + MySQL Database
Posted: Thu Apr 10, 2008 6:49 pm
by RobertGonzalez
Look at HTML Purifier as well. It is a little slow, but can be used to handle cleansing of HTML coming from the database. Thought cleaning it before it hits the database might be better.