Menu
I’m setting up a comments system on a site, with the comments stored in a mysql database. To prevent sql-injection, I run mysql_real_escape_string() on ingoing data. This should be enough to protect the database (tell me if otherwise), but I’d like to prevent people from posting Javascript and other malicious html. Basically, I’d like the comments to be bbcode and text only, using this bbcode parser:
[url]http://il.php.net/manual/en/function…lace.php#69398
How can I strip the remaining html, javascript, and whatnot from the posts? If somebody has already invented this wheel, then I’d rather not risk a security breach by trying to reinvent it myself.
Dotan Cohen
[url]http://song-lirics.com