tags:

views:

30

answers:

2
Q: 

PHP MySQL input HTML tags

I have a PHP MySQL database which I will be storing all my information in. I have a text field on a HTML page that the user can add data to and then on submit a MySQL query inserts this information into a database. Pretty standard stuff.

However, I am now in a position where I can attach a TinyMCE or FCKEditor onto my text field (now a text area). My question is: How do I get this information into the database now, taking into account that the tags will affect the MySQL query, and stripping any tags would impair the display of said information on another page?

I know about strip_tags and similar PHP features but my problem isn't going to be with the PHP it's going to be with the database input with MySQL, any " or ' or ; will break the query and removing these tags before input would remove any format enhancements the user has made.

I am under the assumption also, that if I use mysql_real_escape_string I would need to strip the slashes before I display the data - and this would take all the slashes out of the close tags as well: ,
etc.

+1  A: 

You need to escape the value before you insert it in your SQL statement. If you use the mysql extension, you use the mysql_real_escape_string to do this:

$text = mysql_real_escape_string($_POST['text']);

It escapes characters such as quotation marks, so you can safely insert the value in database.

reko_t  2010-08-25 09:20:47
I thought that on the otherside (i.e. when I'm displaying the data in the database), I'd need to strip slashes, and upon stripping the slashes all the close tags </a> and <br /> would have their slashes removed as well, impairing the format of the data. I mean I already have mysql_real_escape_string on things like user input but thought there may be another method I could use for this particular situation
Daniel Hanly  2010-08-25 09:27:34
You _never_ need to use stripslashes on a properly configured webserver. They were used back when magic quotes were used in PHP, but they've been deprecated for a while now. Also `stripslashes` strips backslashes, not `/`, so tags like `</a>` would be unaffected anyway.
reko_t  2010-08-25 09:30:56
so how would I output this data then? I wouldn't want all the escape slashes in my output
Daniel Hanly  2010-08-25 10:27:26
There should be no slashes. `mysql_real_escape_string` only adds slashes so that the query won't break. There will be no slashes in the actual value stored in the database.
reko_t  2010-08-25 10:37:43
I gave it a quick test and unfortunately the slashes ARE stored in the database. I'll have to use strip slashes on display
Daniel Hanly  2010-08-25 10:48:59
Then you probably have magic quotes on (which you really really should not have on). Confirm with `var_dump(get_magic_quotes_gpc());` If it returns true, then you should really turn it off in your php.ini. If it returns false, you're double escaping your input, and need to find where that happens.
reko_t  2010-08-25 10:58:53
A: 

Look at this:

http://php.net/manual/en/function.mysql-real-escape-string.php

// Query
$query = sprintf("SELECT * FROM users WHERE user='%s' AND password='%s'",
            mysql_real_escape_string($user),
            mysql_real_escape_string($password));
NAVEED  2010-08-25 09:21:13

related questions

Autosizing Textarea
Regular expression for parsing links from a webpage?
What are good tools for creating compiled HTML help files (.chm)?
Looking for WYSIWYG HTML editor
Any reason not to start using the HTML 5 doctype?
HTML comments break down
HTML Comments Markup
Setting a div's height in HTML with CSS
Wrapping lists into columns
Is a "Confirm Email" input good practice when user changes email address?
<XMP> Tag
HTML version choice
Options for HTML scraping?
How do you disable browser Autocomplete on web form field / input tag?
How do I make a checkbox toggle from clicking on the text label as well?
Html CSS Editor
Wordpress theme development offline tools
How do I give my web sites an icon for iPhone?
In HTML, how to word-break on a dash?
Detecting font in JavaScript
How do you test layout design across multiple browsers/OSs?
How do I print an HTML document from a web service?
Multiple submit buttons on a HTML form
How can I determine a web user's time zone?
Why doesn't the percentage width child in absolutely positioned parent work in IE7?