I'm using TinyMCE editor in my site. I want to learn way of correct filter for my input when i'm inserting to DB. Which filters are need to use? For example i get this input to DB this way;
$example = $_POST['example'];
<textarea name="example"></textarea>
I'm not using htmlscepialchars(); because i need the htm开发者_JAVA技巧l tags.
"Sorry for my poor English."
HTMLPurifier.
Download it here: http://htmlpurifier.org/
Include it:
include 'path/to/HTMLPurifier.auto.php';
Use it:
$config = HTMLPurifier_Config::createDefault();
$config->set('Core', 'Encoding', 'UTF-8');
$config->set('XHTML', 'Doctype', 'XHTML 1.0 Strict');
$purifier = new HTMLPurifier($config);
$clean_html = $purifier->purify( $dirty_html );
And sleep well knowing there are no XSS attacks in HTML cleaned like this.
People suggesting mysql_real_escape_string() probably didn't get your question (or i didn't), you were asking how to filter HTML markup from a WYSIWYG editor so it can be safely stored in a database.
mysql_real_escape_string() is relevant as a protection against SQL injection but prepared statements (google "PDO") are better for that.
If I understand correctly, you want to save html to your database, and need some way to encode it?
You could do the following before saving to the db:
urlencode($_POST['example']);
And when you retrieve, you can urldecode($data);
精彩评论