2009/8/16 Caner Bulut <caner...@gmail.com>:
> Hi Dotan,
> You can use htmlentities(), htmlspecialchars() and strip_tags() functions
> when you show your saved data on your web pages. mysql_real_escape_string
> function saved data into mysql DB with a secure way. But when you try to
> show data you still have to control it.

Thank you Caner. This is the function that I use to escape HTML after
it has been pulled out of the database:

function clean_html ($dirty, $noNewlines=0) {
    $dirty = strip_tags($dirty);
    $dirty = str_replace("\r\n", "\n", $dirty);
    $dirty = str_replace("\r", "\n", $dirty);
    if ($noNewlines==1) { $dirty = str_replace("\n", " ", $dirty); }
    $dirty = ereg_replace( ' +', ' ', $dirty);
    $dirty = str_replace("&amp;", "&", $dirty);
    $dirty = str_replace("&", "&amp;", $dirty);

    return $clean;

It is rather convoluted but straightforward in my opinion. In addition
to preventing XSS attacks, it converts newlines to *nix-style and
limits them to just two newlines in a row (or none, depending on
application). It also limits spaces to a single space and ensures that
all ampersands are escaped properly before sanitation with

Dotan Cohen

PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to