ansaurus

Question

Which is the best way of correct filter for HTML editor in PHP?

Answer 1

A:

you can use strip_tags

and add array of allowed tags only the tags you want to remain.

http://php.net/manual/en/function.strip-tags.php like

// Allow <-p-> and <-a-> tags

strip_tags($text, '<p><a>');

Haim Evgi 2010-07-07 11:06:47

He just said that he 'needs' the html tags... that would strip them...

xil3 2010-07-07 11:07:40

the second parameter is the allowed tags array , he can use it , i insert an example

Haim Evgi 2010-07-07 11:09:35

He didn't say that he only needed 'some' html tags, he said he needs them all.

xil3 2010-07-07 11:12:58

Answer 2

A:

If I understand correctly, you want to save html to your database, and need some way to encode it?

You could do the following before saving to the db:

urlencode($_POST['example']);

And when you retrieve, you can urldecode($data);

xil3 2010-07-07 11:07:16

Is there a reason I got down-voted? The answer I gave is a viable solution - so, whoever down-voted better come forward and explain why they feel it's not...

xil3 2010-07-07 11:16:48

+1 to compensate you for that cowardly downvote

Thariama 2010-07-07 11:24:34

I appreciate it :)

xil3 2010-07-07 11:35:55

Answer 3

A:

PHP has a very nice filter Function http://php.net/manual/de/ref.filter.php

That's assuming you are using MySQL as database.

/*** use a callback filter to mysql_real_escape_string ***/
$example = filter_input(INPUT_POST, "example", FILTER_CALLBACK, array("options"=>"mysql_real_escape_string"));

$sql = "INSERT INTO content (example) VALUES ('{$example}')";

/*** echo the query ***/
echo $sql;

You can aswell just escape your POST field (if u dont want to use the above method):

*Side Note: In short mysql_real_escape_string() escapes data, it doesn't sanitize it -- escaping and sanitizing aren't the same thing.*

$example = mysql_real_escape_string(stripslashes($_POST['example']));

Or you can go for Prepared statements which is the best option i belive mysqli

Prix 2010-07-07 11:14:21

$value = str_replace("'", "`", $example); with $example = mysql_escape_string($_POST['example']);are the same assignments? which is safely way from another one?

Aaron 2010-07-07 11:20:56

You can use stripslashes($value) for that, have updated the answer with a sample on the mysql_escape_real_string

Prix 2010-07-07 11:24:08

Thanks for your help.

Aaron 2010-07-07 11:33:09

Answer 4

+1 A:

HTMLPurifier.

Download it here: http://htmlpurifier.org/

Include it:

include 'path/to/HTMLPurifier.auto.php';

Use it:

$config = HTMLPurifier_Config::createDefault();
$config->set('Core', 'Encoding', 'UTF-8');
$config->set('XHTML', 'Doctype', 'XHTML 1.0 Strict');
$purifier = new HTMLPurifier($config);
$clean_html = $purifier->purify( $dirty_html );

And sleep well knowing there are no XSS attacks in HTML cleaned like this.

People suggesting mysql_real_escape_string() probably didn't get your question (or i didn't), you were asking how to filter HTML markup from a WYSIWYG editor so it can be safely stored in a database.

mysql_real_escape_string() is relevant as a protection against SQL injection but prepared statements (google "PDO") are better for that.

Richard Knop 2010-07-07 11:43:36

just as side comment on my answer i said "Prepared statements which is the best option"

Prix 2010-07-07 11:46:48

yes that's true, I didn't read your answer to the end.

Richard Knop 2010-07-07 12:09:06

ansaurus

tags:

views:

answers:

Which is the best way of correct filter for HTML editor in PHP?

related questions