Hey there, I have a form where a user can input some text and it gets added to the database. ATM it is just inserted via mysql_real_escape_string(htmlspecialchars(... But this does not allow them to insert special characters like this: ◕‿◕ ☮✖ ✗ ✘ ♬ ♪ ♩ ♫ ♪ ☼ ✄ ✂ ✆ ✉ ✦ ✧ ♱ ♰ ♂ ♀ ☿ ⤠⥠⦠⧠If I remove the mysql real escape string it works, but it also allows them to insert iframes, scripts etc. Can I allow the symbols, but not the stupid shit like </a> tags, iframe tags, script tags etc? Thanks!
Did you already try strip_tags() function ? It's in the manual http://id2.php.net/manual/en/function.strip-tags.php. Example : <?php $text = '<p>Test paragraph.</p><!-- Comment --> <a href="#fragment">Other text</a>'; echo strip_tags($text); echo "\n"; // Allow <p> and <a> echo strip_tags($text, '<p><a>'); ?> PHP:
I think your table needs to be unicode compatible. Most default charset are latin1_general_ci, you will need utf8_unicode_ci
use strip_tag first to remove html tags from text and then insert inset into table.otherwise iframe can go through it.