i want to use rte for my blog script, let my user use / input html code. my question is .. how to make sure their input is safe? and what is unsafe html/code? thanks a lot!
How would you be storying the data. You should NEVER store htm code into a MySQL db You could str_replacee ("<","[",$test) Then you can check the code yourself, make sure it is safe, (not calling any of your scripts ect);
im little bit confused... may be i am wrong! I normally use mysql_real_escape_string function to avoid such hacks in the mysql queries. What if im storing the html data in blob format and also use safe mysql queries? Is my database still vulnerable?
yes.. you are right, but how to store htm code into mysql db and safe? you mean use [] instead of <>?
From http://in2.php.net/mysql_real_escape_string can anyone give me few examples of sql injection or any other attacks when storing html data in database?
the past few days ... i did search in google and read many web page about safe html , but still can't get any idea how to write my script to prevent unsafe html code. i just get some info like " Open comments or '<![CDATA[' are dangerous " now I want to know more any other code i need to convert it or replace...
use strip_tags function to strip out unwanted html tags from user inputs. you might want to read full details here:http://in2.php.net/strip_tags
Here is some information on security with php and Mysql http://www.sitepoint.com/article/php-security-blunders
Just for the record, you can store *anything*, apart from oreos & milk, in your mysql database as long as you pass it through the mysql_real_escape_string function first. Period. This means HTML, C++ code, an SQL query- anything. There will be no errors, risks or "unsafety". If you still don't like the idea of naked HTML sitting in your database, use base64_encode on it on the way in and base64_decode on the way out. The only side-effect will be a bloated table.
there is no problems storing html in database as long as mysql_real_escape_string function is use now the problem is if one of your users attaches javascript along with html then your screwed, and its very very very hard to filter javascript out
The best way to get around this is to use fopen functions create a new file each time, and store the file name in the database. Then when you want to call the file, you use require.
you can simply use the function preg_replace to filter out the javascript/style/class codes in your html.
um i said hard not impossible theres just so many ways javascript could be injected umh someone posting jscripts to redirect away from your site, set cookies etc.. search google, you dont want people posting javascript