I am using this currently, but it doesn't seem to be working for bullets:
function sanitizeMySQL($var){
$var = mysql_real_escape_string($var);
$var = sanitizeString($var);
return $var;
}
function sanitizeString($var)
{
$var = str_replace('•','•', $var);
$var = htmlentities($var);
$var = strip_tags($var);
return $var;
}
This is what bullets show up like in my db after someone has submitted them through a textarea:
•
EDIT: This is now what I am getting: •
.
I do have bullets stored in my db, so I know it allows them. Is there a correct way to store bullets in latin-1 encoding?
The data that is submitted through your form and your source code do not have the same encoding. Therefore the
•
characters from your source code do not match the ones in the actual data. Therefore they are not being replaced. Unify on a common encoding. See Handling Unicode Front To Back In A Web App.Also, your sanitization strategy is pretty weird. I don't know what you have against "•", this should not be replaced in a general "sanitization" function. Furthermore, you're first HTML escaping everything, then are stripping tags. Hint: there won't be any tags anymore after you have escaped them. Next, you should not modify the string anymore after you have SQL escaped it. See The Great Escapism (Or: What You Need To Know To Work With Text Within Text).