[SOLVED] Escaping too much data!

[garry]

Alright, so hopefully this wont be too hard to solve.

 

I'm using TinyMCE editor on my site, and it allows users to add styles to text. The problems arise when it uses the <span> tag.

 

Say for example, if TinyMCE added <span style="somethinghere">some text here</span>.

 

Because I have mysql_real_escape_string on, it will escape the style="" to become style=\"\" and so the styles won't display

 

How can I make it so that it won't escape inside the tags that I specify to fix this?

 

Thanks!

[trq]

mysql_real_escape_string only escapes data while it is being inserted into your database. Your database shouldn't store the slashes as well.

 

If your data is being stored with the slashes in place then there is something wrong. Make sure magic_quotes_gpc() is not enabled.

[Wolphie]

Most visual editors have their own security. E.g. for escaping and securing. (I've never had a problem with TinyMCE)

[garry]

I'm sure I read on the TinyMCE website that they do not escape the data. And also, if javascript is disabled, it will just be a regular textbox and it can be exploited

[Wolphie]

Try using strip_slashes();

[garry]

Yep, I just figured it out after I posted that last post but thanks heaps for your help