how to escape some html tags from htmlentities
aaloo
Junior Poster in Training
76 posts since Oct 2011
Reputation Points: 22
Solved Threads: 0
use mysql_real_escape_string() to escape. Keep the html as is. You can use strip_tags():
http://php.net/manual/en/function.strip-tags.php
to allow certain tags only, e.g. anchor and image. The main problem with allowing html is and badly formed/unterminated tags.
The only reason to htmlentity (IMO) is if you want to display viewable html in your page, or to stop non-terminated user-entered html from breaking your site.
Don't store htmlentity-ified text in your DB - just use it on the data when you come to display, if you really need to.
If you really must allow user-entered html, perhaps use BBCode.
diafol
Rhod Gilbert Fan (ardav)
7,792 posts since Oct 2006
Reputation Points: 1,170
Solved Threads: 1,080
I Am using mysql_real_escape_string() before store the text into database and then i am htmlentities function to display the text in browser.
can i use strip_tags() function like this
<?php
$post =htmlentities($post);
$post=strip_tags($post);
echo $post ?>
will it improve my security from sql injection ?
aaloo
Junior Poster in Training
76 posts since Oct 2011
Reputation Points: 22
Solved Threads: 0
I can't see any advantage in using htmlentities with regard to helping with security wrt SQLinjection.
AFAIK, preventing SQLinjection involves safequoting and protecting number input - where quotes aren't used to enclose data.
mysql_real_escape_string will provide safequoting and you could use intval to provide safe numbering (if you are expecting an integer). floatval could also be used. However, this type of data should be validated first, e.g. with is_int or is_float.
I don't see the advantage of using htmlentities with regard to making SQL input safe. Strip_tags shouldn't affect SQL - just ensure that your output from the DB doesn't contain any horribleness like
diafol
Rhod Gilbert Fan (ardav)
7,792 posts since Oct 2006
Reputation Points: 1,170
Solved Threads: 1,080
