PHP MYSQL

HOW TO REMOVE HTML TAGS IN PHP MYSQL

review_id | int(255) PRIMARY KEY review_name | varchar(255) review_text | text

DUMMY REVIEW TABLE

01

THE INSERT SQL STATEMENT $stmt = $pdo->prepare("   INSERT INTO `reviews`    (`review_name`, `review_text`)   VALUES  (?, ?)");

PHP INSERT INTO DATABASE

02

CONNECT TO DATABASE $pdo = new PDO( "mysql:host=HOST;dbname=NAME;". "charset=utf8", USER, PASSWORD);

PROBLEMATIC REVIEW POST

03

HIDDEN SCRIPT INSERTION $_POST = [   "name" => "Le Hackr",   "text" => "<strong>Good product!   </strong> <p>Foo Bar</p>   <script>alert('POO PAR')</script>" ];

REMOVE HTML TAGS (A)

04

TO STRIP ALL HTML TAGS $stmt->execute([   $_POST["name"],   strip_tags($_POST["text"]) ]);

SELECTIVELY ALLOW SOME TAGS $stmt->execute([   $_POST["name"],   strip_tags($_POST["text"], "<p>   <strong>") ]);

REMOVE HTML TAGS (B)

05

REMOVE HTML TAGS (C)

06

OR CONVERT TO HTML ENTITIES $stmt->execute([   $_POST["name"],   htmlentities($_POST["text"]) ]);