rofl90 Posted March 9, 2008 Share Posted March 9, 2008 Once inside my cms I decided I didn't need to validate, now I've just realised I'm going to be using html, is it ok for me to use html/javascript asinputs eg into a database to be retrieved for a page? Quote Link to comment Share on other sites More sharing options...
pocobueno1388 Posted March 9, 2008 Share Posted March 9, 2008 You should look into this HTML purifier class: http://htmlpurifier.org/ Quote Link to comment Share on other sites More sharing options...
rofl90 Posted March 9, 2008 Author Share Posted March 9, 2008 I just downloaded it, it's huge! I just want even if that a few functions, if a page for a class to include, but 100 pages, please.. ??? Quote Link to comment Share on other sites More sharing options...
pocobueno1388 Posted March 9, 2008 Share Posted March 9, 2008 Download the "light" version, it cuts it down a lot. I use it and I've never noticed a performance issue. Quote Link to comment Share on other sites More sharing options...
rofl90 Posted March 9, 2008 Author Share Posted March 9, 2008 ok and i just do <?php require_once '/path/to/htmlpurifier/library/HTMLPurifier.auto.php'; $dirty_html = $_POST['content']; $purifier = new HTMLPurifier(); $clean_html = $purifier->purify($dirty_html); // I insert $clean_html into my db? ?> Quote Link to comment Share on other sites More sharing options...
pocobueno1388 Posted March 9, 2008 Share Posted March 9, 2008 Yep, thats exactly how you use it. Although I would use mysql_real_escape_string() with it too. You have to make sure you escape the data AFTER the purifying though. Like this: $clean_html = mysql_real_escape_string($purifier->purify($dirty_html)); Quote Link to comment Share on other sites More sharing options...
rofl90 Posted March 9, 2008 Author Share Posted March 9, 2008 okie dokie then Quote Link to comment Share on other sites More sharing options...
rofl90 Posted March 9, 2008 Author Share Posted March 9, 2008 Is this ok then: if(isset($_POST['add'])) { require_once '../htmlcleaner/library/HTMLPurifier.auto.php'; $purifier = new HTMLPurifier(); $footer = $purifier->purify($footer1); $sitetitle = $purifier->purify($sitetitle2); $keywords = $purifier->purify($keywords3); $description = $purifier->purify($description4); $timeout = $purifier->purify($timeout5); $maintenance = $purifier->purify($maintenance6); $siteslogan = $purifier->purify($siteslogan7); $footer1 = $_POST['footer']; $sitetitle2 = $_POST['sitetitle']; $keywords3 = $_POST['keywords']; $description4 = $_POST['description']; $timeout5 = $_POST['timeout']; $maintenance6 = $_POST['maintenance']; $siteslogan7 = $_POST['siteslogan']; $query = "UPDATE settings SET footer='$footer', sitetitle='$sitetitle', keywords='$keywords', description='$description', timeout='$timeout', maintenance='$maintenance', siteslogan='$siteslogan'"; mysql_query($query) or die(mysql_error()); echo "Updated settings! Click <a href='settings.php'>here</a> to go back."; } Quote Link to comment Share on other sites More sharing options...
pocobueno1388 Posted March 9, 2008 Share Posted March 9, 2008 Don't forget the mysql_real_escape_string(). Other than that, it looks fine. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.