Secure plain/free text [closed]
I just want to give freedom to my users to put in their text any character they want, but without being able to harm nor my design nor my database.
thanks for any help
Escaping is the keyword.
SQL escape data before putting it in an SQL query. Alternatively, use prepared statements.
HTML escape data before outputting it into HTML.
JSON encode data when outputting it to JSON.
PREG escape data before using it as part of a regular expression.
You get the idea.
Basically, SQL, HTML, JSON, regular expressions and all these things are just text. Certain characters and symbols have special meaning in that text. Your data is text as well. If your data contains any of these characters that have a special meaning, you may get unwanted results. Escaping is the solution for this common problem. Use the appropriate escaping method for each situation.
That is two separate problems.
You need to protect your database against SQL injection and your HTML against XSS.
The specifics for defending against them depend on the languages you are using, see the above links for starting points.
精彩评论