0

Little background. I'm making a forum with an account system.

So naturally they have to insert data to the database whilist speaking in the forums.

What is the safest way to let the user input data in an textarea?

Is there away so they can't just type in DROP TABLE 'USERS', or something else that might effect my forum?

Now I know there is some solutions to this, but how can I do this so that they're able to make their text look nice (<h1>,<img>) etc, but not do a proper SQL query?

Kinda like this page is made, I can type here with all sorts of looks but I cannot do anything to harm the page.

Thanks.

-Kevin

jACK
  • 147
  • 1
  • 14
  • http://www.codeproject.com/Articles/9378/SQL-Injection-Attacks-and-Some-Tips-on-How-to-Prev – Khurram Ali Feb 13 '15 at 09:20
  • You should read about "SQL injections" and prevention of those. Most database APIs allow prepared statements and automatically escape dynamic content properly (when used correctly). – Tobias Feb 13 '15 at 09:21

2 Answers2

1

Either mysqli_real_escape_string or Prepared statements for SQL injection

To keep the HTML injection, just dont do anything. Queries are already vulnerable to HTML injection.

In your case you might just want to use an editor for your forum posts, like: TinyMCE

Loko
  • 6,539
  • 14
  • 50
  • 78
0

You need to do (at least) two things:

  1. Your database user should have only required grants on given table - so GRANT INSERT on yourtable TO youruser instead of GRANT ALL on yourtable TO youruser

  2. Make yourself sql injection safe - by using prepared statements in your php code

Tomasz Madeyski
  • 10,742
  • 3
  • 50
  • 62