I'm building a review site that will allow users to submit reviews which will be stored in a MySQL DB. Reviews will be manually reviewed by me for content, and then displayed on my site. Here's my custom function for cleaning the data (every item on the form is passed to this function):
function cleanDataForDB($data) {
$data = trim(htmlentities(strip_tags($data开发者_如何学编程)));
if (get_magic_quotes_gpc())
$data = stripslashes($data);
$data = mysql_real_escape_string($data);
return $data;
}
I haven't written the script to display the reviews once they've been approved yet, but I was planning on just passing all the fields from my MySQL table through html_entity_decode() function and writing them to the HTML of my page.
Does anyone see any obvious security holes in this plan? It seems pretty safe to me, but this is the first site I've built that allows user-submitted data, so I want to be sure I'm not leaving myself vulnerable.
Thanks!
You should do database escaping on the data before putting it into the DB, and do HTML escaping on pulling it out. That way, you can process the HTML in the user's posts in the future without finding "oops, I mangled it".
The best way to escape the data for insert is to use PDO.
For displaying the data, htmlentities is probably sufficient.
I agree with Borealid, but would like to add that you may want to use preg_replace() to completely remove any JavaScript scripting, rather than just stripping the tags from it.
![Interactive visualization of a graph in python [closed]](https://www.devze.com/res/2023/04-10/09/92d32fe8c0d22fb96bd6f6e8b7d1f457.gif)
加载中,请稍侯......
精彩评论