BBCode question

[adamlacombe]

I'm trying to work on BBCode for a forum.

<?php
$bb_Code = array(
'[ code]' => '<code>',
'[ /code]' => '</code>'
);
foreach ($bb_Code as $value => $replace) {
$text = str_replace($value, $replace, $text);
} ?>

 

Question is.. how would I get it so when I insert information into the database it gets cleaned (strip_tags, etc.) but doesn't disturb what is in the [ code ] tags?

So basically it makes the html, etc. in the [ code ] tags just plain text?

 

Thanks in advanced.

[DavidAM]

Call htmlspecialchars() just before the bbcode replacements:

<?php
$text = htmlspecialchars($text);
$bb_Code = array(
'[ code]' => '<code>',
'[ /code]' => '</code>'
);
foreach ($bb_Code as $value => $replace) {
$text = str_replace($value, $replace, $text);
} ?>

 

To me, it seems best to store the data in the database exactly as entered by the user (especially, if you are going to let them edit it later).  Then do the (htmlspecialchars() and) bbcode changes just before displaying it on a page - but not before presenting it in a textarea for the user to edit.

[adamlacombe]

hmm ok but wouldn't I be vulnerable to an attack if I don't clean the $_POST before it gets inserted into the database?

[adamlacombe]

Correct? 

[DavidAM]

To protect against SQL injection attacks, use the mysql_real_escape() which will escape any characters that might cause problems with the database access.  If you are not using mysql, the use some other appropriate function for your database.

 

The htmlspecialchars() function will protect you from HTML and SCRIPT injections since the code will be displayed and not interpreted.

 

There may be other things to do, there are a lot of topics on this site about sanitizing user input.