Menu
Community /Pin to ProfileBookmark
@NogDogJul 06.2012 — #My recommendation would be to use one of the WYSIWYG plug-ins out there (such as TinyMCE), which will both provide a nice interface to the users while handling all the nuts and bolts for you.
PS: There is generally no reason to be using addslashes() or stripslashes() anywhere. You should be using the escaping mechanism specific to the DBMS extension being used (or better yet, using prepared statements and bound parameter), and there should never be a need to remove slashes on data retrieved from the DB, since [i]the escaping slashes never actually get into the database[/i] (they just tell the SQL parser which characters to treat literally rather than as special characters).
Tiresome question, sanitizing user HTML input
I hate to be asking this question, 1. because it’s a typical newb question that probably gets asked a lot, and 2. because I’ve done some tuts on this but now can’t seem to find files i’d saved to refer to.
but anyway, i’m building a simple cms. there are some text fields for user input. this input gets displayed on a web page and the user needs to be able to enter in simple HTML tags like <span class=’whatever’>, <b>, <p>…. etc. etc..
i know i need to sanitize the input. can someone suggest what all functions i should use?, like addslashes(), (going into the D?, removeslashes(), (going back out onto the page), htmlspecialchars()……should i use..?. should i use filter_var(‘copy’,FILTER_SANITIZE_STRING )…?
or can someone point me in the right dir. for some good tuts on this topic?, big thanks
Sign in
to post a comment3 Comments(s) ↴
0
@NogDogJul 06.2012 — #My recommendation would be to use one of the WYSIWYG plug-ins out there (such as TinyMCE), which will both provide a nice interface to the users while handling all the nuts and bolts for you.PS: There is generally no reason to be using addslashes() or stripslashes() anywhere. You should be using the escaping mechanism specific to the DBMS extension being used (or better yet, using prepared statements and bound parameter), and there should never be a need to remove slashes on data retrieved from the DB, since [i]the escaping slashes never actually get into the database[/i] (they just tell the SQL parser which characters to treat literally rather than as special characters).