0

When outputting user input I use this function:

function bbkoda($text) {
    $text = htmlspecialchars($text);
    $text = nl2br($text);

    $hitta = array(
        "'\[b](.*?)\[/b]'is",
        "'\[i](.*?)\[/i]'is"
    );

    $byt = array(
        "<b>\\1</b>",
        "<i>\\1</i>"
    );

    $text = preg_replace($hitta, $byt, $text);

    return $text;
}

This is pretty safe right? I sanitize all i insert to db with mysql_real_escape_string and output it with htmlspecialchars. Im a very doubtful person :P

Thanks

Improve this question
1
  • Rather than using BB code, why not use Markdown or ReStructered text. Commented Jun 25, 2009 at 4:38

1 Answer 1

Reset to default
1

There is already a quite good explanation on stackoverflow on this topic. Basically you definitely need to work on your in- and output to get it really safe!

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.