On Wed, 18 Aug 2004 11:37:03 -0400
"leegold" <[EMAIL PROTECTED]> wrote:
> Question I have wondered about: Is it a good practice to put html in
> a text field, then (eg. via php) when the marked-up text renders in
> a user's browser it's good looking html. If not, then I'd just
> sandwitch field content in a <p></p> when it's rendered. Though,
> seems like it would mess-up fulltext searching in a marked-up text
> field(?). Thanks. Lee G.
I never cared for it, but if you HAVE to, my recommendation is to do something like
this:
$clean_html = htmlentities($dirty_html, ENT_QUOTES);
mysql_query("INSERT INTO table (html_field) VALUES ('$clean_html')");
Then when you need to display the HTML, after pulling the data from the database use:
$html = mysql_entity_decode($html_from_db, ENT_QUOTES); //requires php > 4.3.0
The htmlentities converts characters like quotes, <, >, etc. to nice text the database
won't have any problems storing and prevents SQL injection attacks (it's a good idea
to use htmlentities on ANY text field you take from an untrusted source and insert
into a database)
I would also strip out <script> tags and research cross site scripting prevention
which you are in danger of having problems with if you blindly store submitted HTML
from the Internet such as on in a bulletin board app.
http://www.php.net/htmlentities
http://www.php.net/html_entity_decode
Josh
--
MySQL General Mailing List
For list archives: http://lists.mysql.com/mysql
To unsubscribe: http://lists.mysql.com/[EMAIL PROTECTED]
