Store it as is, using the escaping that your database library provides. nl2br
and if needed htlmentities/specialchars
when displaying it.
Am I sanitizing textarea safely
-
10-10-2022 - |
Question
I have been using this to sanitize my textareas from xss-injects, I havent had any problems yet but since I been reading around on google I am not sure if this is a safe way.
$comment = nl2br(htmlspecialchars($_POST['comment']));
Then I am inserting it to my DB using mysqli with bind_param(); to prevent sql-inject
And lasty I am just outputtting it by <p><?php echo $info['comment']; ?></p>
Is this a safe way?
What I want to do is just to is sanitize then store it in my DB then output it, with working linebreaks.
Thanks in advance,
Solution
OTHER TIPS
You're not sanitising at all.
As said, you need to use the escaping your database library provides, as the escaping methods vary depending on database type.
Historically, you'd use mysql_real_escape_string(), but that is now deprecated as of PHP 5.5.0.