Hi, I'm developing a script. The script contains a text box and 1 submit button. Some texts can be added to MySQL using the text box and submit button. On another, the raw data is fetched from database and displayed on a web page. I want to know, what functions should be used step by step for storing those data, so that no malicious codes (or wrong codes like & or < ) is inserted in the database, in terms, are not shown on the display page? I've heard of htmlspecialcharacters, mysqlrealescape etc functions. But don't know how to use step by step. I must mention that I do't want to strip all HTL tags. I want to keep <br> and <a> tags intact. Please guide me.
Generally, the idea is not to strip all html tags away, but to htmlentities() them so they will be saved in the db as their appropriate html entities, e.g  etc. then when you want to get them from the db, html_entity_decode them back to their original html forms. if a sql command is being run on input, you need to mysql_real_escape_string it, you generally do this after everything else, since it doesn't really make sense to htmlentities the output of a real escape, and i've found it leads to parsing problems. so, to sum up entering data in db: mysql_real_escape_string(htmlentities(addslashes(trim($myvar)))) PHP: but of course it all depends on what you need, it's a bit overkill i would say, to use this for every single input. maybe i'm wrong, who knows. but i find it useful nonetheless.
All you should do is mysql_real_escape_string(tirm($myvar)); htmlentities needs to have a character encoding specified as the third paramater if you're using UTF-8 or similar. addslashes isn't necessary at all and could even result in multiple \\ being present in the column.
Certain characters have special significance in HTML, and should be represented by HTML entities if they are to preserve their meanings. This function returns a string with some of these conversions made; the translations made are those most useful for everyday web programming. If you require all HTML character entities to be translated, use htmlentities() instead. This function is useful in preventing user-supplied text from containing HTML markup, such as in a message board or guest book application. The translations performed are: * '&' (ampersand) becomes '&' * '"' (double quote) becomes '"' when ENT_NOQUOTES is not set. * ''' (single quote) becomes ''' only when ENT_QUOTES is set. * '<' (less than) becomes '<' * '>' (greater than) becomes '>'
This piece of code didn't work for my case. I hope you have used GoArticles like article directories. Where you cannot put any html tags. Whatever you write in the text area and submit, the article page, displays the exact thing (without generating the HTML output, it assumes HTML tags, slashes, quotes, special characters as plain text). szalinski, can you tell me what will be the code to show up the exactly submitted text (everything as text, not as html or special characters) which was the stored after processing it with your code? However my need is slight different. I just want to convert newlines to BR and show a line break whereever a line feed or <br> tag is found in the input. Moreover, I need to convert any URL to hyperlink forcefully (even when <a> tag is not used), but I don't want to decode <a> tags however. I've the code for creating hyperlink by recognizing a URL. Example What I Need: Input in textbox (ignore the underlines): <script><anytag> <unclosed tag ' comma /' slash <br />comma / slash Adam & Eve & http://techbongo.com <a href="http://techbongo.com/">techbongo.com</a> </Test> <b>Hello</b> ?> HTML: Output on web page: <script><anytag> <unclosed tag ' comma /' slash comma / slash Adam & Eve & http://techbongo.com <a href="http://techbongo.com/">techbongo.com</a> </Test> <b>Hello</b> ?> Hope these 2 examples defines what I want.
use this function: preg_replace('/[^a-zA-Z0-9]/', '', $string); Code (markup): in this, the first part '/[^a-zA-Z0-9]/' suggest what to allow, the second one '' being blank, says that the replacement should be nothing, and $string is the data to be processed.
But for my case everyone is getting translated except &. Whenever, I enter & as input it displays nothing. Why is this happening? I'm using AJAX. That's why my input is passed through URL in GET method. Is this happening because of AJAX?
If you're passing & characters thru GET method then they still need to be urlencoded and htmlentities(), I mistakenly assumed you had gotten past that part already. Even when you POST, the content still has to be urldecoded (the data that a user enters in a text box for example), then after urldecode just run mysql_real_escape_string and html_entity_decode. just experiment with them to see which output you're looking for.
Hi, I got a solution to my problem. I was passing variables and using AJAX for receiving response. It was a javascript function which solved it. Now & is also passed as a value. The function is encodeURIComponent() The site is http://1to.in Please have a look.