Home/ Questions/Q 6248387
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-24T13:02:51+00:00

I have tinyMCE editor which is passing data to php processing file. If I

  • 0

I have tinyMCE editor which is passing data to php processing file.

If I use $variable=$_POST(['tinyMCE_textarea']); everything is ok.
But I want to secure it so nothing bad will come from user who entered some data into textarea.

And when I use $variable=mysql_real_escape_string($_POST(['tinyMCE_textarea']));
The result becomes dammaged with some \" signs. So how can I add maximum security without changing the variable ?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    TinyMCE is able to clean up data, however it is critical that you don’t rely on client-side stuff.

    To secure data for database, you use mysql_real_escape_string(). The result is intended for use with mysql and not for display.

    To secure data for display, you use the htmlspecialchars() function. htmlentities() also works but would convert all applicable entities, so for security you only need htmlspecialchars().

    So the simplified picture is

    .// Insert to database
mysql_query("INSERT INTO data (content) VALUES ('" . mysql_real_escape_string( $_POST['tinyMCE_textarea'] ) . "')");

.// Display to user - doesn't matter whether the data is from post or database
echo htmlspecialchars ( $_POST['tinyMCE_textarea'] );
    • 0