CODEWITHSUNDEEP
phpmysqlhtmltagsformat
Dan Hanly
Dan Hanly

Reputation: 7839

PHP MySQL input HTML tags

I have a PHP MySQL database which I will be storing all my information in. I have a text field on a HTML page that the user can add data to and then on submit a MySQL query inserts this information into a database. Pretty standard stuff.

However, I am now in a position where I can attach a TinyMCE or FCKEditor onto my text field (now a text area). My question is: How do I get this information into the database now, taking into account that the tags will affect the MySQL query, and stripping any tags would impair the display of said information on another page?

I know about strip_tags and similar PHP features but my problem isn't going to be with the PHP it's going to be with the database input with MySQL, any " or ' or ; will break the query and removing these tags before input would remove any format enhancements the user has made.

I am under the assumption also, that if I use mysql_real_escape_string I would need to strip the slashes before I display the data - and this would take all the slashes out of the close tags as well: ,
etc.

Upvotes: 1

Views: 2454

Answers (2)

Naveed
Naveed

Reputation: 42093

Look at this:

http://php.net/manual/en/function.mysql-real-escape-string.php

// Query
$query = sprintf("SELECT * FROM users WHERE user='%s' AND password='%s'",
            mysql_real_escape_string($user),
            mysql_real_escape_string($password));

Upvotes: 0

reko_t
reko_t

Reputation: 56430

You need to escape the value before you insert it in your SQL statement. If you use the mysql extension, you use the mysql_real_escape_string to do this:

$text = mysql_real_escape_string($_POST['text']);

It escapes characters such as quotation marks, so you can safely insert the value in database.

Upvotes: 1

Related Questions