StackOverflow2013

Note that there are some explanatory texts on larger screens.

plurals

PO
text
Body
copied!<p>This is what I use when I want to eliminate XSS, HTML and still preserve the user post content (even malicious code attempts) </p> <pre><code>private function stripHTMLtags($str) { $t = preg_replace('/<[^<|>]+?>/', '', htmlspecialchars_decode($str)); $t = htmlentities($t, ENT_QUOTES, "UTF-8"); return $t; } </code></pre> <p>The first regex remove everything that has a html format and the htmlentities takes care of quotes and stuff. Use it on your controller everytime you need to REALLY clean things up. Fast and simple.</p> <p>Eg., this very malicious str with lots of codes tags and stuff</p> <pre><code>Just another post (http://codeigniter.com) blablabla text blabla:</p>1 from users; update users set password = 'password'; select * <div class="codeblock">[aça]<code><span style="color: rgb(221, 0, 0);">'username'</span><span style="color: rgb(0, 119, 0);">);&nbsp;</span><span style="color: rgb(255, 128, 0);">//&nbsp;filtered<br></span><span style="color: rgb(0, 0, 187);">- HELLO I'm a text with "-dashes_" and stuff '!!!?!?!?!$password&nbsp;</span></span> </code></pre> <p><ok.></p> <p>Becomes </p> <pre><code>Just another post (http://codeigniter.com) blablabla text blabla:1 from users; update users set password = 'password'; select * [aça]'username');&nbsp;//&nbsp;filtered- HELLO I'm a text with "-dashes_" and stuff '!!!?!?!?!$password&nbsp; <ok.> </code></pre> <p>It still have the code, but that won't do anything on your db. Use it like </p> <pre><code>$this->stripHTMLtags($this->input->post('html_text')); </code></pre> <p>You can put this function inside a library so you don't have to hack CI :)</p>

Querying!

Guidance

An individual column

Larger individual text columns get their own page to allow for proper reading.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload