Custom content management system - don't know how or when to escape content from db containing markup
Question
Im building a php cms and the content will be pulled from a mysql db. How can I escape the content which has HTML markup and when should I do this?
Im just not sure how big an issue this is for main page content fields if only 'trusted' users can add content.
Thanks a lot in advance ;)
1 answers
solution1
0 ACCPTED 2012-07-19 22:30:35
Well you would want to use something like the htmlentities() function on the data when you are outputting it or the strip_tags() function.
The first defense though would be the only accept date in what format you are expecting. For example if it is a Name: field in a form you would only accept letters, spaces, ',-, and a few more characters. Don't add data into your database before checking if it is in the correct format.
Most form fields on a website do not required characters like < and > so don't let the data be added to the database without checking if it is in the correct format. If you are expecting a positive integer like the number 1,2,3,4... and so on don't let the script continue until those requirements are satisfied.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.