Making html safe to insert into database..

PHP coding talk.

Moderator: Moderators

Making html safe to insert into database..

Postby Link on Fri Oct 13, 2006 8:51 pm

ok, i've created my own CMS to add content to my site, however i've read about SQl injections and whatnot and use
Code: Select all
mysql_real_escape_string(strip_tags($_POST['id']));


to keep things nice and clean, but, i need HTML for the content to display properly.

So is there a way to prevent to SQL injections without using mysql_real_escape?

Also it's in a password protected area so will that make any difference?
Link
Registered User
Registered User
 
Posts: 31
Joined: Sat Sep 10, 2005 8:43 pm

OvBB...

Postby iyeru42 on Sun Jan 14, 2007 7:31 pm

OvBB, a forum software developed by J. Freeman has a PHP function called html_sanitize, you may want to ask him at ovbb.org (If you can't access that domain, try ovbbres.org)
User avatar
iyeru42
Registered User
Registered User
 
Posts: 22
Joined: Sun Jan 14, 2007 5:20 pm
Location: Wisconsin, Madison

Postby DooBDee on Fri Jan 19, 2007 5:29 pm

Just use htmlspecialchars() then create function to undo htmlspecialchars() its not that difficult :)
DooBDee
Website Ninja
DooBDee.net
User avatar
DooBDee
Moderator
Moderator
 
Posts: 3530
Joined: Tue Mar 01, 2005 6:28 pm
Location: DooBDee.net

Re: Making html safe to insert into database..

Postby PostBot on Fri Jan 19, 2007 6:35 pm

[quote user="Link" post="82801"]So is there a way to prevent to SQL injections without using mysql_real_escape?[/quote]
Why would you even consider not using mysql_real_escape_string()? No need to reinvent the wheel. Just use mysql_real_escape_string() and single quotes and you'll be safe.
Do NOT pm me, I don't visit this forum anymore, don't own it, don't provide any support and don't moderate.
User avatar
PostBot
Moderator
Moderator
 
Posts: 10659
Joined: Sat Aug 02, 2003 3:52 pm
Location: Mars

Postby Link on Thu Mar 01, 2007 11:28 am

Is it ok to use mysql_real_escape_string and then use stripslashes when calling the data?
Link
Registered User
Registered User
 
Posts: 31
Joined: Sat Sep 10, 2005 8:43 pm

Postby PostBot on Thu Mar 01, 2007 11:35 am

You don't need stripslashes because data returned by mysql_fetch_* doesn't have slashes. You only need to add slashes when entering data to database.
Do NOT pm me, I don't visit this forum anymore, don't own it, don't provide any support and don't moderate.
User avatar
PostBot
Moderator
Moderator
 
Posts: 10659
Joined: Sat Aug 02, 2003 3:52 pm
Location: Mars

Re: Making html safe to insert into database..

Postby floridamary4 on Mon Apr 06, 2009 12:30 pm

thanks for your help :)
floridamary4
Registered User
Registered User
 
Posts: 12
Joined: Mon Apr 06, 2009 12:22 pm


Return to PHP Programming

Who is online

Users browsing this forum: No registered users and 3 guests

cron