Page 1 of 1
Best way to store user-submitted HTML in SQL?
Posted: Mon Jun 10, 2013 6:09 am
by Helx
Hi, real quick question.
I'm setting up somewhat of a forum for a website, and I need to allow the storage of HTML tags for formatting (not using BBcode).
What's the best way to secure it? Would mysql_real_escape_string do enough?
(I know it's deprecated, but it's fine for now)
Re: Best way to store user-submitted HTML in SQL?
Posted: Mon Jun 10, 2013 7:21 am
by FrederickGeek8
I'd say thats probably enough... Since when has mysql_real_escape_string been deprecated... I've been using it in all my projects 0_o
What should I use instead? (Sorry hijacking your topic)
Re: Best way to store user-submitted HTML in SQL?
Posted: Mon Jun 10, 2013 7:26 am
by Helx
Re: Best way to store user-submitted HTML in SQL?
Posted: Mon Jun 10, 2013 7:34 am
by FrederickGeek8
I have no idea whats going on
I wanna cry
I think I'm going to create a new topic
Re: Best way to store user-submitted HTML in SQL?
Posted: Mon Jun 10, 2013 11:44 am
by Temor
Mysql_real_escape_string would work just fine.
You still need to prevent xss attacks and some html tags. You don't want users to be able to use all of the html tags. That could wreak some real havoc on the layout of your site
If you create a list of accepted tags, you wouldn't even need to clean them, because you already know that they're clean.