I recently started to use NicEdit on my “Article Entry” page. However, I have some questions about security and preventing abuse.
First question:
I currently sanitize every input with “mysql_real_escape_string()” in my database class. In addition, I sanitize HTML values with “htmlspecialchars(htmlentities(strip_tags($var))).
How would you sanitize your “HTML inputs” while adding them to database, or the way I’m doing it works perfect?
Second question:
While I was making this question, there was a question with “similar title” so I readed it once. It was someone speaking about “abused HTML inputs” to mess with his valid template. (e.g just input)
It may occur on my current system too. How should it be dealt with in PHP?
Ps. I want to keep using NicEdit, so using BBCode system should be the last advice.
Thank you.
mysql_real_escape_stringis not sanitization, it escapes text values to keep the syntax of the SQL query valid/unambiguous/injection safe.strip_tagsis sanitizing your string.htmlentitiesandhtmlspecialcharsin order is overkill and may just garble your data. Since you’re also stripping tags right before that, it’s double overkill.mysql_real_escape_stringonce before putting the data into the query. You also do the same thing, protecting your HTML syntax, by HTML escaping text before outputting it into HTML, using eitherhtmlspecialchars(recommended) orhtmlentities, not both.