Welcome to WebmasterWorld Guest from

Forum Moderators: coopster & jatar k

Message Too Old, No Replies

PHP-mySQL field validation?

Trying to let the user directly input html code into db...

5:55 pm on Nov 29, 2002 (gmt 0)

Junior Member

10+ Year Member

joined:Sept 17, 2001
votes: 0

Here I am again...
Anybody can help me? I have a mySQL db that needs to be updated form a browser anywhere (with some PHP aid)...so I need to validate a textarea input like

update ... values(foo=".$textareaname.");

I have to validate the $textareaname variable so it won't set illegal chars that would generate a mySQL command syntax error (i.e. ' )...
The user is supposed to be able to insert HTML code into the field so it will be generated in "his" page...

Help me pleaaase!

6:34 pm on Nov 29, 2002 (gmt 0)


WebmasterWorld Administrator jatar_k is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:July 24, 2001
votes: 0

You could try something like mysql_escape_string [php.net]
6:55 pm on Nov 29, 2002 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member lorax is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Mar 31, 2002
votes: 0

You might want to also consider looking into addslashes(). It will escape most of the common characters that MySQL chokes on single quote ', double quote ", backslash \ and NUL.


2:30 am on Dec 2, 2002 (gmt 0)

Junior Member

10+ Year Member

joined:Sept 18, 2002
votes: 0

If I remember correctly - you might like also to look at htmlspecialchars() which will encode any html as their entity counterparts.

The html code of course will not be 'executed'. If you want their html code to actually be exectuted, and are not concerned about how the page presentation may be affected, then addslashes()& StripSlashes() is the way to go.


2:47 pm on Dec 2, 2002 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:July 22, 2002
votes: 0

There are really two problems that you need to address:

malicious SQL code
A user might insert malicious SQL code into your form. This is solved by escaping backslashes, null-bytes and single quotes with the addslashes function. If magic_quotes_gpc is on then PHP will automatically escape those characters in all data from GET and POST actions and from COOKIEs.

malicious HTML code
A user might insert malicious HTML and JavaScript code into your form which is executed when a surfer views the page with a javascript enabled browser. To solve this problem escape <>"' with their html entities. If you want your users to use some kind of markup then I would suggest using style codes like the ones used in this and many other forums. All html markup that the user enters will be escaped, only the style codes will be transformed to html markup. This way you have control over which kind of markup you allow. The other approach would be to use a html parser to parse the html entered by the user and check that prior to inserting it into the db. With this approach you will only find known malicious code (less restrictive, less save, more coding), while with the latter approach you will allow only known good code (more restrictive, saver, easier to code).