pocobueno1388 Posted June 8, 2007 Share Posted June 8, 2007 Okay, to my understanding it is very unsafe to allow users to submit HTML from a form to the database. What if I allowed the user to use HTML, but when they submitted it I would change all the >'s and <'s into backets [ and ]. So the user would type out: <img src="image.jpg"> and it would be inserted into the database like this: [img src="image.jpg"] Would this be a secure way of doing it? Or is there a better way? Link to comment https://forums.phpfreaks.com/topic/54676-solved-secure-way-to-store-html-in-the-database/ Share on other sites More sharing options...
fert Posted June 8, 2007 Share Posted June 8, 2007 http://us.php.net/manual/en/function.htmlentities.php Link to comment https://forums.phpfreaks.com/topic/54676-solved-secure-way-to-store-html-in-the-database/#findComment-270402 Share on other sites More sharing options...
btherl Posted June 8, 2007 Share Posted June 8, 2007 For storing in the database, mysql_real_escape_string() is the right function. For when you want to display the data again, see fert's comment above Link to comment https://forums.phpfreaks.com/topic/54676-solved-secure-way-to-store-html-in-the-database/#findComment-270405 Share on other sites More sharing options...
pocobueno1388 Posted June 8, 2007 Author Share Posted June 8, 2007 Yeah, I already do mysql_real_escape_string() on everything going into the db. Thank you, that function will work perfect [as it was made for that, hah]. Link to comment https://forums.phpfreaks.com/topic/54676-solved-secure-way-to-store-html-in-the-database/#findComment-270424 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.