Is there anyway to clean HTML code via php being saved to a database?

Question

Possible Duplicate:
What's the best method for sanitizing user input with PHP?

I'm using TinyMCE to allow uses to edit a small portion of a web page.

This field is saved to a database.

Is there a regular expression I can use to clean the incoming HTML code so it avoids any XSS/NULL/DROP TABLES kind of attacks?

I've done this on single line inputs text/numbers etc, but not sure how to go about this when receiving an HTML string.

score 11 · Accepted Answer · answered May 21 '12 at 14:51

11

I'd recommend playing with HTMLPurifier.

answered May 21 '12 at 14:51

raina77ow

103,633
15
192
229

score 5 · Answer 2 · answered May 21 '12 at 14:50

5

You can use the PHP functions: striptags and htmlspecialchars:

http://php.net/manual/en/function.strip-tags.php

answered May 21 '12 at 14:50

Darren

68,902
24
138
144

This will obliterate the HTML produced by TinyMCE. He wants to allow HTML but remove any XSS threats. – MrCode May 21 '12 at 14:59
@MrCode is correct. I don't want to strip any tags, just strip dangerous tags or javascripts. – GT22 May 21 '12 at 15:11

score 2 · Answer 3 · answered May 21 '12 at 15:57

You can use this -

 function safe_sql($obj)
{
    $obj = htmlspecialchars($obj);
    $obj = str_replace('"',"&quot;",$obj);
    $obj = str_replace("'","&#39;",$obj);
    $obj = str_replace("`","&#96;",$obj);
    $obj = mysql_real_escape_string($obj);
    return $obj;
}

I'm using it and it's working fine. And you can also use this function to make it normal(after you pull the data from the database) -

 function to_Normal($data)
{
    $data = htmlspecialchars_decode($data);

    $data = str_replace("&quot;",'"',$data);
    $data = str_replace("&#39;","'",$data);
    $data = str_replace("&#96;","`",$data);
    $data = nl2br($data);
    return $data;
}

Is there anyway to clean HTML code via php being saved to a database?

3 Answers3