Is there anyway to clear the html code via php which is stored in the database?

Question

Is there anyway to clear the html code via php which is stored in the database?

Possible duplicate:
What is the best method for disinfecting user input using PHP?

I use TinyMCE to allow editing a small part of a web page.

This field is stored in the database.

Is there a regex that I can use to clear incoming HTML to avoid any kind of attack like XSS / NULL / DROP TABLES?

I did this on single-line text / numbers inputs, etc., but am not sure how to do this when getting an HTML string.

+6

html php mysql xss

GT22 May 21 '12 at 14:48

source share

3 answers

You can use PHP functions: striptags and htmlspecialchars :

http://php.net/manual/en/function.strip-tags.php

+5

Darren davies May 21 '12 at 14:50

source share

You can use this -

  function safe_sql($obj) { $obj = htmlspecialchars($obj); $obj = str_replace('"',"&quot;",$obj); $obj = str_replace("'","&#39;",$obj); $obj = str_replace("`","&#96;",$obj); $obj = mysql_real_escape_string($obj); return $obj; }

I use it and it works fine. And you can also use this function to make it normal (after pulling data from the database) -

  function to_Normal($data) { $data = htmlspecialchars_decode($data); $data = str_replace("&quot;",'"',$data); $data = str_replace("&#39;","'",$data); $data = str_replace("&#96;","`",$data); $data = nl2br($data); return $data; }

+2

Yehonatan May 21, '12 at 15:57

source share

raina77ow · Accepted Answer · 2012-05-21T14:51:49+0000

I would recommend playing with HTMLPurifier .

Is there anyway to clear the html code via php which is stored in the database?

More articles: