Trying to stop bullets in textareas from entering

2019-05-15 03:19发布

I am using this currently, but it doesn't seem to be working for bullets:

function sanitizeMySQL($var){
        $var = mysql_real_escape_string($var);
        $var = sanitizeString($var);
        return $var;
}

function sanitizeString($var)
{
    $var = str_replace('•','•', $var);
    $var = htmlentities($var);
    $var = strip_tags($var);
    return $var;
}

This is what bullets show up like in my db after someone has submitted them through a textarea:

•

EDIT: This is now what I am getting: •.

I do have bullets stored in my db, so I know it allows them. Is there a correct way to store bullets in latin-1 encoding?

1条回答
男人必须洒脱
2楼-- · 2019-05-15 03:30

The data that is submitted through your form and your source code do not have the same encoding. Therefore the • characters from your source code do not match the ones in the actual data. Therefore they are not being replaced. Unify on a common encoding. See Handling Unicode Front To Back In A Web App.

Also, your sanitization strategy is pretty weird. I don't know what you have against "•", this should not be replaced in a general "sanitization" function. Furthermore, you're first HTML escaping everything, then are stripping tags. Hint: there won't be any tags anymore after you have escaped them. Next, you should not modify the string anymore after you have SQL escaped it. See The Great Escapism (Or: What You Need To Know To Work With Text Within Text).

查看更多
登录 后发表回答