3

First of all, I have a html editor that accept input from user. I want to store plain html tags in database and cater for quotes (sql injection) that appear as well.

For example,

$input = "<h1><strong><span style="font-size:36px">I'm waiting</span></h1>";

I need to cater quote only from I'm waiting but not quotes that appear between html tags before storing into database. Any recommended way to do that?

ps: please ignore PDO (or mysqli) with prepared statements in this case.

user2126081
  • 265
  • 1
  • 3
  • 12
  • Did you try using `htmlentities()` – Rusty Jan 18 '16 at 07:22
  • what are u receiving from database?? – devpro Jan 18 '16 at 07:38
  • Why do you want to treat the html tags and the text in between differently. They are both user input ans a security risk for sql injection the same way – Gavriel Jan 18 '16 at 07:46
  • @Gavriel if this is the case, should I use addslashes() before inserting into database and use stripslashes() for retrieving data? – user2126081 Jan 18 '16 at 07:56
  • 1
    without any use of an escaping function/prepared statement, anything other than that leaves you open to an SQL injection. – Funk Forty Niner Jan 18 '16 at 12:30
  • 2
    Possible duplicate of [How can I prevent SQL injection in PHP?](https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) – Dharman Sep 25 '19 at 12:33

1 Answers1

-1

You should use http://php.net/manual/en/function.mysql-real-escape-string.php to make sure no sql injection can be made against you.

Gavriel
  • 18,566
  • 12
  • 66
  • 101