Store it as is, using the escaping that your database library provides. nl2br
and if needed htlmentities/specialchars
when displaying it.
Am I sanitizing textarea safely
-
10-10-2022 - |
문제
I have been using this to sanitize my textareas from xss-injects, I havent had any problems yet but since I been reading around on google I am not sure if this is a safe way.
$comment = nl2br(htmlspecialchars($_POST['comment']));
Then I am inserting it to my DB using mysqli with bind_param(); to prevent sql-inject
And lasty I am just outputtting it by <p><?php echo $info['comment']; ?></p>
Is this a safe way?
What I want to do is just to is sanitize then store it in my DB then output it, with working linebreaks.
Thanks in advance,
해결책
다른 팁
You're not sanitising at all.
As said, you need to use the escaping your database library provides, as the escaping methods vary depending on database type.
Historically, you'd use mysql_real_escape_string(), but that is now deprecated as of PHP 5.5.0.