> Lawrence Kennon wrote: >> For a BBS I would like to let users post links to >> various resources. They 'post' a message to the BBS >> via a form and that is stored in a MySQL db, then the >> content of their 'post' is available to other users on >> the BBS. Currently I strip out all PHP/HTML with the >> strip_tags() function. What I would really like to do >> is allow a limited set of HTML tags (like the anchor >> <a> tag) but at the same time implement reasonable protection. > > Get yourself a bbcode parser from phpclasses.org so you can use things > like [b] [/b], and [url=] [/url], etc. This is safer than trying to deal > with actual HTML, imo. Then use htmlentities() on the data instead of > strip_tags(), so the users can actually write something like <grin> and > not have it stripped.
[snip] I have a "best practice" question related to this thread. I usually store data in MySQL without any translation, then use htmlspecialchars() before displaying as HTML. This works well for a content management system where administrators are entering data in forms and storing, but perhaps it's not appropriate for storing information from website visitors. If that information should be translated before storing, then I'd have some stuff that needs htmlspecialchars() applied before displaying, and some stuff that does not. My question is, are there any disadvantages to always following the procedure described below? - Use htmlentities() on everything before storing in the database - Retrieve and display in cms forms without any translation - Retrieve and translate mnemonic codes (like [b] [eb] to <strong> </strong>) before displaying as HTML - Retrieve and use html_entity_decode() if needed for non-HTML use (like for plain text email), or if I actually *WANT* to use stored HTML code (like for HTML-formatted email) TIA -- Lowell Allen -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
