> -----Original Message----- > From: Dotan Cohen [mailto:dotancohen@xxxxxxxxx] > Sent: Monday, November 06, 2006 3:24 PM > > I'm setting up a comments system on a site, with the comments stored > in a mysql database. To prevent sql-injection, I run > mysql_real_escape_string() on ingoing data. This should be enough to > protect the database (tell me if otherwise), but I'd like to prevent > people from posting Javascript and other malicious html. Basically, > I'd like the comments to be bbcode and text only, using this bbcode > parser: > http://il.php.net/manual/en/function.preg-replace.php#69398 > > How can I strip the remaining html, javascript, and whatnot from the > posts? If somebody has already invented this wheel, then I'd rather > not risk a security breach by trying to reinvent it myself. http://us2.php.net/manual/en/function.strip-tags.php http://us2.php.net/manual/en/function.htmlspecialchars.php http://us2.php.net/manual/en/function.str-replace.php DÆVID -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
