NEONecd999 Posted October 5, 2008 Share Posted October 5, 2008 I have a form with a text area where users can input an HTML code. That is then stored in a field of a mysql table. On another page, this HTML code must be selected from the table and echoed, so that the processed HTML code is what will appear in the browser. Problem is, there are symbols in the HTML code, such as single quotation marks, that will kill the syntax of the mysql UPDATE statement and allow for mysql injection attacks. To avoid this, i usually put "htmlentities($content, ENT_QUOTES)" instead of simply "$content" into the MySQL statement. However, if I do this, when I SELECT the info to output in another HTML page, it is not processed by the HTML, as all HTML symbols have been translated into their character codes... So which PHP functions should I use to encode and decode my content (in this case HTML code) to suit this scenario? Thanks. Quote Link to comment Share on other sites More sharing options...
GingerRobot Posted October 5, 2008 Share Posted October 5, 2008 So which PHP functions should I use to encode and decode my content (in this case HTML code) to suit this scenario? Dont. Use mysql_real_escape_string However, you might want to consider what you're allowing through - unless this is something hidden away in an admin area, someone could use things like script tags and you'll end up in a whole heap of trouble. Quote Link to comment Share on other sites More sharing options...
NEONecd999 Posted October 5, 2008 Author Share Posted October 5, 2008 Yeah this is all for an admin panel, so only an admin will have access to this. Thanks for your help, mysql_real_escape_string() worked great. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.