Is there anyway to clean HTML code via php being saved to a database? [duplicate]

Question

Possible Duplicate:
What's the best method for sanitizing user input with PHP?

I'm using TinyMCE to allow uses to edit a small portion of a web page.

This field is saved to a database.

Is there a regular expression I can use to clean the incoming HTML code so it avoids any XSS/NULL/DROP TABLES kind of attacks?

I've done this on single line inputs text/numbers etc, but not sure how to go about this when receiving an HTML string.

Answer 1

I'd recommend playing with HTMLPurifier.

Answer 2

You can use the PHP functions: striptags and htmlspecialchars:

http://php.net/manual/en/function.strip-tags.php

Answer 3

You can use this -

 function safe_sql($obj)
{
    $obj = htmlspecialchars($obj);
    $obj = str_replace('"',""",$obj);
    $obj = str_replace("'","'",$obj);
    $obj = str_replace("`","`",$obj);
    $obj = mysql_real_escape_string($obj);
    return $obj;
}

I'm using it and it's working fine. And you can also use this function to make it normal(after you pull the data from the database) -

 function to_Normal($data)
{
    $data = htmlspecialchars_decode($data);

    $data = str_replace(""",'"',$data);
    $data = str_replace("'","'",$data);
    $data = str_replace("`","`",$data);
    $data = nl2br($data);
    return $data;
}