On Wed, 18 Aug 2004 11:37:03 -0400 "leegold" <[EMAIL PROTECTED]> wrote:
> Question I have wondered about: Is it a good practice to put html in > a text field, then (eg. via php) when the marked-up text renders in > a user's browser it's good looking html. If not, then I'd just > sandwitch field content in a <p></p> when it's rendered. Though, > seems like it would mess-up fulltext searching in a marked-up text > field(?). Thanks. Lee G. I never cared for it, but if you HAVE to, my recommendation is to do something like this: $clean_html = htmlentities($dirty_html, ENT_QUOTES); mysql_query("INSERT INTO table (html_field) VALUES ('$clean_html')"); Then when you need to display the HTML, after pulling the data from the database use: $html = mysql_entity_decode($html_from_db, ENT_QUOTES); //requires php > 4.3.0 The htmlentities converts characters like quotes, <, >, etc. to nice text the database won't have any problems storing and prevents SQL injection attacks (it's a good idea to use htmlentities on ANY text field you take from an untrusted source and insert into a database) I would also strip out <script> tags and research cross site scripting prevention which you are in danger of having problems with if you blindly store submitted HTML from the Internet such as on in a bulletin board app. http://www.php.net/htmlentities http://www.php.net/html_entity_decode Josh -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe: http://lists.mysql.com/[EMAIL PROTECTED]