justted 0 Junior Poster

Hi Everyone,

I am creating a website in which I would like to allow members to post html and css code to decorate their profiles backgrounds and pages. Ive been searching for ages and am confused as to the best way to sanitise input before inserting it into the database and then how to re-check it before outputting html to the user in the browser!

I am currently using the following code to check user input variables

$id=$_GET['id']; ///should this go before or after the code below???

/////SANITISING ALL DATA ...NEED TO CHECK IF IT WORKS
if(!get_magic_quotes_gpc())

{
  $_GET = array_map('mysql_real_escape_string', $_GET); 
  $_POST = array_map('mysql_real_escape_string', $_POST); 
  $_COOKIE = array_map('mysql_real_escape_string', $_COOKIE);
}
else
{  
   $_GET = array_map('stripslashes', $_GET); 
   $_POST = array_map('stripslashes', $_POST); 
   $_COOKIE = array_map('stripslashes', $_COOKIE);
   $_GET = array_map('mysql_real_escape_string', $_GET); 
   $_POST = array_map('mysql_real_escape_string', $_POST); 
   $_COOKIE = array_map('mysql_real_escape_string', $_COOKIE);
}

I havent yet used any of the strip_tags, htmlentities or other checks.

My first question is am I placing the variables such as $id=$_GET; in the right place (ie: BEFORE the escape and stripslashes) or should this be after? This code is currently placed in a global document which is included in the pages so where should these checks be placed in order to check and sanitise the code going into the database? For example ...if I include the above global code into a document at the top top then this would mean the above code gets read before the variables and database queries! Is that the right way to do it?

My second question is how should I properly sanitise the user input if I want to allow basic html and css? So if I want a member to be able to use for example, the following html tags: <b><br><p><img><a><font> and then css code to change the body attributes then how would I create this?

I have seen this used in a script before output:

$input = badwords(smilies(strip_tags("$input"<b><i><u>")));

I am also aware from reading up on this that you can use htmlentities but when and where do you use all of this? And how would you use them to make sure the input is properly sanitised and checked?

Please would anyone help me work this out?

Many Thanks and Happy New Year! :)

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.