Hi, real quick question.
I'm setting up somewhat of a forum for a website, and I need to allow the storage of HTML tags for formatting (not using BBcode).
What's the best way to secure it? Would mysql_real_escape_string do enough?
(I know it's deprecated, but it's fine for now)
Best way to store user-submitted HTML in SQL?
-
FrederickGeek8
- Posts: 148
- Joined: Wed Nov 30, 2011 10:31 pm
Re: Best way to store user-submitted HTML in SQL?
I'd say thats probably enough... Since when has mysql_real_escape_string been deprecated... I've been using it in all my projects 0_o
What should I use instead? (Sorry hijacking your topic)
What should I use instead? (Sorry hijacking your topic)
-
FrederickGeek8
- Posts: 148
- Joined: Wed Nov 30, 2011 10:31 pm
Re: Best way to store user-submitted HTML in SQL?
I have no idea whats going on
I wanna cry
I think I'm going to create a new topic
I wanna cry
I think I'm going to create a new topic
Re: Best way to store user-submitted HTML in SQL?
Mysql_real_escape_string would work just fine.
You still need to prevent xss attacks and some html tags. You don't want users to be able to use all of the html tags. That could wreak some real havoc on the layout of your site
If you create a list of accepted tags, you wouldn't even need to clean them, because you already know that they're clean.
You still need to prevent xss attacks and some html tags. You don't want users to be able to use all of the html tags. That could wreak some real havoc on the layout of your site
If you create a list of accepted tags, you wouldn't even need to clean them, because you already know that they're clean.