tags:

views:

207

answers:

1

Hola

When outputting user input I use this function:

function bbkoda($text) {
$text = htmlspecialchars($text);
$text = nl2br($text);


$hitta = array(
          "'\[b](.*?)\[/b]'is",
          "'\[i](.*?)\[/i]'is"
          );

$byt = array(
             "<b>\\1</b>",
             "<i>\\1</i>"
            );

$text = preg_replace($hitta, $byt, $text);

return $text;
}

This is pretty safe right? I sanitize all i insert to db with mysql_real_escape_string and output it with htmlspecialchars. Im a very doubtful person :P

Thanks

A: 

There is already a quite good explanation on stackoverflow on this topic. Basically you definitely need to work on your in- and output to get it really safe!

merkuro