SitePoint Sponsor

User Tag List

Results 1 to 2 of 2

Hybrid View

  1. #1
    SitePoint Enthusiast
    Join Date
    Apr 2012
    Posts
    99
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)

    Best way save user input in database(RTE)

    Hey There,

    i have been working with a RTE and my current cleaning function trim(strip_tags(stripslashes())). I use PDO for inserting data in to the database, so i am not one hundred % sure on how i should go with the RTE text area input. I am not sure how i should clean that input, or if i should just use htmlenties to display it in a safe way in the website.

  2. #2
    SitePoint Wizard silver trophybronze trophy Cups's Avatar
    Join Date
    Oct 2006
    Location
    France, deep rural.
    Posts
    6,869
    Mentioned
    17 Post(s)
    Tagged
    1 Thread(s)
    If you use PDO's prepared statements to protect your database from injection, and you then use htmlentities to protect your users from XSS attacks, then you ought to be fine.

    As for "cleaning that input", this will only work when you know exactly what is going to be allowed and you either filter out everything else, or detect and infringement and abort that operation -- so called Filtering Input (FIEO)

    e.g. a phone number. You might permit spaces, dashes, round brackets and numbers.

    For a free for all text area you face an impossible task, so you simply have to protect each environment from attack by Escaping Output. (FIEO)


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •