ユーザーがMarkdownで記事を書き、それをMySQLデータベースに保存して(将来編集するオプションを付けて)、他のユーザーに表示できるようにしたいと思います。
実際には、これはそれがどのように機能するかについての私の理解です:
入力
$queryInput = mysql_real_escape_string($userInput);出力
$output = Markdown($queryResult);$outputそれですか?
PHP Markdownは、またはの必要性を排除しますhtmlspecialcharsかPure HTML?
ありがとう!
I evaluated the use of markdown in PHP some weeks ago (and decided not to use it, by the way). My thoughts:
It might not be a good idea to run the markdown parser each time the output is rendered - parsing the comment is quite expensive and the usual blog comment (as an example) is far more often read than written. You should run the markdown parser BEFORE saving the user input into the database!
Now the really tough problem: Markdown does not do any security checks by itself. All xss attacks are happily passed through. If you now think "no problem, I'll just strip_tags right after getting the user input", think again: it is quite possible that markdown creates the tags containing the XSS while processing the user input. So, you have to check the HTML code created by markdown for security problems - a very hard task which is very error prone. (That was the reason for not using it in my case - the benefit had no good ratio to the potential costs)