Home/ Questions/Q 3402322
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-18T05:07:25+00:00

I’m building a review site that will allow users to submit reviews which will

  • 0

I’m building a review site that will allow users to submit reviews which will be stored in a MySQL DB. Reviews will be manually reviewed by me for content, and then displayed on my site. Here’s my custom function for cleaning the data (every item on the form is passed to this function):

function cleanDataForDB($data) {
$data = trim(htmlentities(strip_tags($data)));

if (get_magic_quotes_gpc())
    $data = stripslashes($data);

$data = mysql_real_escape_string($data);

return $data;

}

I haven’t written the script to display the reviews once they’ve been approved yet, but I was planning on just passing all the fields from my MySQL table through html_entity_decode() function and writing them to the HTML of my page.

Does anyone see any obvious security holes in this plan? It seems pretty safe to me, but this is the first site I’ve built that allows user-submitted data, so I want to be sure I’m not leaving myself vulnerable.

Thanks!

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    You should do database escaping on the data before putting it into the DB, and do HTML escaping on pulling it out. That way, you can process the HTML in the user’s posts in the future without finding “oops, I mangled it”.

    The best way to escape the data for insert is to use PDO.

    For displaying the data, htmlentities is probably sufficient.

    • 0