pocobueno1388 Posted June 8, 2007 Share Posted June 8, 2007 Okay, to my understanding it is very unsafe to allow users to submit HTML from a form to the database. What if I allowed the user to use HTML, but when they submitted it I would change all the >'s and <'s into backets [ and ]. So the user would type out: <img src="image.jpg"> and it would be inserted into the database like this: [img src="image.jpg"] Would this be a secure way of doing it? Or is there a better way? Quote Link to comment https://forums.phpfreaks.com/topic/54676-solved-secure-way-to-store-html-in-the-database/ Share on other sites More sharing options...
fert Posted June 8, 2007 Share Posted June 8, 2007 http://us.php.net/manual/en/function.htmlentities.php Quote Link to comment https://forums.phpfreaks.com/topic/54676-solved-secure-way-to-store-html-in-the-database/#findComment-270402 Share on other sites More sharing options...
btherl Posted June 8, 2007 Share Posted June 8, 2007 For storing in the database, mysql_real_escape_string() is the right function. For when you want to display the data again, see fert's comment above Quote Link to comment https://forums.phpfreaks.com/topic/54676-solved-secure-way-to-store-html-in-the-database/#findComment-270405 Share on other sites More sharing options...
pocobueno1388 Posted June 8, 2007 Author Share Posted June 8, 2007 Yeah, I already do mysql_real_escape_string() on everything going into the db. Thank you, that function will work perfect [as it was made for that, hah]. Quote Link to comment https://forums.phpfreaks.com/topic/54676-solved-secure-way-to-store-html-in-the-database/#findComment-270424 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.