Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
Im building a php cms and the content will be pulled from a mysql db. How can I escape the content which has HTML markup and when should I do this?
Im just not sure how big an issue this is for main page content fields if only ‘trusted’ users can add content.
Thanks a lot in advance 😉
Well you would want to use something like the htmlentities() function on the data when you are outputting it or the strip_tags() function.
The first defense though would be the only accept date in what format you are expecting.
For example if it is a Name: field in a form you would only accept letters, spaces, ‘,-, and a few more characters. Don’t add data into your database before checking if it is in the correct format.
Most form fields on a website do not required characters like < and > so don’t let the data be added to the database without checking if it is in the correct format. If you are expecting a positive integer like the number 1,2,3,4… and so on don’t let the script continue until those requirements are satisfied.