Sanitize input before storing into database

Question

First of all, I have a html editor that accept input from user. I want to store plain html tags in database and cater for quotes (sql injection) that appear as well.

For example,

$input = "<h1><strong><span style="font-size:36px">I'm waiting</span></h1>";

I need to cater quote only from I'm waiting but not quotes that appear between html tags before storing into database. Any recommended way to do that?

ps: please ignore PDO (or mysqli) with prepared statements in this case.

Why do you want to treat the html tags and the text in between differently. They are both user input ans a security risk for sql injection the same way — Gavriel, Jan 18 '16 at 07:46
@Gavriel if this is the case, should I use addslashes() before inserting into database and use stripslashes() for retrieving data? — user2126081, Jan 18 '16 at 07:56
without any use of an escaping function/prepared statement, anything other than that leaves you open to an SQL injection. — Funk Forty Niner, Jan 18 '16 at 12:30
Possible duplicate of [How can I prevent SQL injection in PHP?](https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) — Dharman, Sep 25 '19 at 12:33

score -1 · Answer 1 · answered Jan 18 '16 at 07:58

-1

You should use http://php.net/manual/en/function.mysql-real-escape-string.php to make sure no sql injection can be made against you.

answered Jan 18 '16 at 07:58

Gavriel

18,880
12
68
105

Telling someone to use a deprecated method isn't a good idea. – Matt Stephens Nov 23 '16 at 14:16
4

@MattStephens, on the other hand telling someone that something is deprecated without telling what to use instead is very helpful – Gavriel Nov 25 '16 at 11:08

Sanitize input before storing into database

1 Answers1