Secure plain/free text [closed]

It's difficult to tell what is being asked here. This question is ambiguous, vague, incomplete, overly broad, or rhetorical and canno开发者_开发问答t be reasonably answered in its current form. For help clarifying this question so that it can be reopened, visit the help center. Closed 11 years ago.

I just want to give freedom to my users to put in their text any character they want, but without being able to harm nor my design nor my database.

thanks for any help

---

Escaping is the keyword.

SQL escape data before putting it in an SQL query. Alternatively, use prepared statements.
HTML escape data before outputting it into HTML.
JSON encode data when outputting it to JSON.
PREG escape data before using it as part of a regular expression.

You get the idea.

Basically, SQL, HTML, JSON, regular expressions and all these things are just text. Certain characters and symbols have special meaning in that text. Your data is text as well. If your data contains any of these characters that have a special meaning, you may get unwanted results. Escaping is the solution for this common problem. Use the appropriate escaping method for each situation.

---

That is two separate problems.

You need to protect your database against SQL injection and your HTML against XSS.

The specifics for defending against them depend on the languages you are using, see the above links for starting points.