So here is the thing, I'm working on my own little PHP based forum software for my college exam (comp. sciences). One thing I found tricky to do is to allow html content. One of the exam requirements is SQL security.

所以这就是事情,我正在为我的大学考试(comp。科学)开发我自己的基于PHP的小论坛软件。我发现棘手的一件事是允许html内容。考试要求之一是SQL安全性。

In my forum I want to allow someone to copy and paste something from the internet, like say a WikiPedia article, with all hyperlinks and font styling to transfer over ones they paste it into the forum textarea.

在我的论坛中,我想允许某人从互联网上复制和粘贴一些东西,比如说一篇WikiPedia文章,所有的超链接和字体样式都可以转移到它们粘贴到论坛textarea中。

I was able to achieve this with use of nicEditor which is a js wysiwyg editor. Now the problem strives from the way I validate the user input. In order to make the input secure it's called in such format.

我能够使用nicEditor实现这一点,这是一个js wysiwyg编辑器。现在问题来自我验证用户输入的方式。为了使输入安全,它以这种格式调用。

parsebbCode(htmlentities(stripslashes($posts_content)))

This pretty much renders everything useless, turning html into plain text. So here is the thing, how can I store the html code in it's default state in MySQL and convert it into rich format ones it's going to the client side, without creating a SQL vulnerability? Or should I just write some BBCODE to parse the basic elements instead?

这几乎使一切变得无用,将html变成纯文本。所以这就是问题,如何将html代码存储在MySQL中的默认状态,并将其转换为丰富的格式,它将转移到客户端,而不会产生SQL漏洞?或者我应该写一些BBCODE来解析基本元素?

1 个解决方案

#1

---