I'm creating a site which allows me to save the html definition of a page to a mysql database, from a text field on a form. I believe there is probably an issue with making sure destructive code cannot be sent as part of the page definition, but I am unsure what to do about it.
My thoughts are to create a generic PHP function which will fix the string when sending to the the database, and fix it back when retrieving it. I think I need to use functions such as stripslashes, addslashes, htmlspecialchars etc, but would like someone with experience in this to provide some direction as to the issues I should be looking into. My current function is as follows:
function fix_string($mystring, $stringaction)
{
switch($stringaction)
{
case "send" :
{
$mystring = trim($mystring);
$mystring = stripslashes($mystring);
$mystring = htmlspecialchars($mystring);
$mystring = str_replace("\n", "", $mystring);
$mystring = str_replace(">\r", ">", $mystring);
$mystring = str_replace("\r", "<BR>", $mystring);
$mystring = str_replace('"', "'", $mystring);
$mystring = stripslashes($mystring);
break;
}
case "retrieve" :
{
$mystring = trim($mystring);
$mystring = htmlspecialchars($mystring);
$mystring = str_replace("<BR>", "\r", $mystring);
break;
}
}
return $mystring;
}
Does anyone see any potential issues/concerns with this?
