Hi. I'm coding a new petsite, everythings almost done, I'm just going around the site... Adding... Stuff... But, anyway:

I have a question. I always clean my vars, but is it safe to NOT put htmlspecialchars(strip_tags($_POST['content'])); for things like descriptions/messages/etc. ? I want to allow HTML for those things but I don't know if that is the safest to go (Like MySQL injections and things like that). If it isn't safe, any suggestions? I think the only other way would be to use something like BBCODE.

Thanks.

P.S.
Also, if anyone trustable who knows alot about hacking/php/mysql could test the site out for any bugs... Let me know xD

couldn't you use mysql_escape_quotes();? I'm not sure... but it was you! I sent you a PM lol xD

i'd like to apply for moderator position when the site opens up and i'd also like to join it's temp forums as well

Okay. I needed someone to test everything anyway xD

As for the moderator position, we'll see how everything works out xD

Could you PM me so I don't forget to add your account? xD

I'd love to test it out too :P me can see if i can explit it too xD

I'm pretty sure you just need to addslashes($_POST['content']).

Eregi to only alpha-numeric with spaces, dashes and slashes :P

Hi. I'm coding a new petsite, everythings almost done, I'm just going around the site... Adding... Stuff... But, anyway:

I have a question. I always clean my vars, but is it safe to NOT put htmlspecialchars(strip_tags($_POST['content'])); for things like descriptions/messages/etc. ? I want to allow HTML for those things but I don't know if that is the safest to go (Like MySQL injections and things like that). If it isn't safe, any suggestions? I think the only other way would be to use something like BBCODE.

Thanks.

P.S.
Also, if anyone trustable who knows alot about hacking/php/mysql could test the site out for any bugs... Let me know xD


Im not sure that I understand the question, but for working with any database insertion of variables that contain values determined by the user, you need to mysql_real_escape_string($string); on them before inserting them to avoid mysql injection.

you can use mysql_real_escape_string(); to escape mysql queries