Hey all,
I have a site similar to any other blog site, where I have a few friends coming and posting whatever they want. I found this "Rich-text Editor" online, a WYSIWYG editor for posting to their blog...and have a few questions about database input and future output.
Since the WYSIWYG editor (found here: http://www.kevinroth.com/rte/demo.htm ) is basically a bunch of HTML code...what would I need to do before inputting it into my database to be safe?
Since my php.ini has magic_quotes_gpc set to off...would I need to mysql_real_escape_string() everything going into the database? What else would I need?
Also, when retrieving the data from the MySQL database, what would I need to do to it? Do I need to use stripslashes()? I really want this to be foolproof.
BTW: the richtext editor suggested using the following function before placing formatted text into a database, should I use this or simple PHP functions instead?
function RTESafe($strText)
{
//returns safe code for preloading in the RTE
$tmpString = trim($strText);
//convert all types of single quotes
$tmpString = str_replace(chr(145), chr(39), $tmpString);
$tmpString = str_replace(chr(146), chr(39), $tmpString);
$tmpString = str_replace("'", "'", $tmpString);
//convert all types of double quotes
$tmpString = str_replace(chr(147), chr(34), $tmpString);
$tmpString = str_replace(chr(148), chr(34), $tmpString);
//$tmpString = str_replace("\"", "\"", $tmpString);
//replace carriage returns & line feeds
$tmpString = str_replace(chr(10), " ", $tmpString);
$tmpString = str_replace(chr(13), " ", $tmpString);
return $tmpString;
}
Thanks!
-influx
