ansaurus

Question

Store HTML into MySQL database

Answer 1

+1 A:

You need to escape a string before inserting it into database.

a1ex07 2010-04-14 22:46:22

Answer 2

+1 A:

Difficult to say without seeing the query. Can you post it?

I'm presuming there's some part of the html string that needs escaping, which maybe you missed?

Andy Hume 2010-04-14 22:46:53

Answer 3

+2 A:

Try using mysql_real_escape_string function on the string you want to store. It is the easiest way.

Sinan 2010-04-14 22:47:47

Answer 4

+4 A:

Strings in a SQL query are -usually- surrounded by singlequotes. E.g.

INSERT INTO tbl (html) VALUES ('html');

But if the HTML string itself contains a singlequote as well, it would break the SQL query:

INSERT INTO tbl (html) VALUES ('<form onsubmit="validate('foo', 'bar')">');

You already see it in the syntax highlighter, the SQL value ends right before foo and the SQL interpreter can't understand what comes thereafter. SQL Syntax Error!

But that's not the only, it also puts the doors wide open for SQL injections (examples here).

You'll really need to sanitize the SQL during constructing the SQL query. How to do it depends on the programming language you're using to execute the SQL. If it is for example PHP, you'll need mysql_real_escape_string():

$sql = "INSERT INTO tbl (html) VALUES ('" . mysql_real_escape_string($html) . "')";

An alternative in PHP is using prepared statements, it will handle SQL escaping for you.

If you're using Java (JDBC), then you need PreparedStatement:

String sql = "INSERT INTO tbl (html) VALUES (?)";
preparedStatement = connection.prepareStatement(sql);
preparedStatement.setString(1, html);

Update: it turns out that you're actually using Java. You'll need to change the code as follows:

String sql = "INSERT INTO website (URL, phishing, source_code, active) VALUES (?, ?, ?, ?)";
preparedStatement = connection.prepareStatement(sql);
preparedStatement.setString(1, URL);
preparedStatement.setString(2, phishingState);
preparedStatement.setString(3, sourceCode);
preparedStatement.setString(4, webSiteState);
preparedStatement.executeUpdate();

Don't forget to handle JDBC resources properly. You may find this article useful to get some insights how to do basic JDBC stuff the proper way. Hope this helps.

BalusC 2010-04-14 22:55:21

While using prepared statements prevent you from sql injection, do remember to escape the HTML when you pull it out and display it again ! If you do not, you'll be vulnerable to all sort of xss attacks.

nos 2010-04-14 23:19:17

@nos: completely right. That's however a story apart. Seeing the coding (variable names) as far, I'd expect it to be used for completely different purposes though :) @jouzef19: if this HTML is coming from *user input* and you are *ever* going to display this in a JSP page or so, then use [`fn:escapeXml()`](http://java.sun.com/products/jsp/jstl/1.1/docs/tlddocs/fn/escapeXml.fn.html) to sanitize it to avoid [XSS attacks](http://en.wikipedia.org/wiki/Cross-site_scripting) - [examples here](http://ha.ckers.org/xss.html).

BalusC 2010-04-14 23:22:09

ansaurus

tags:

views:

answers:

Store HTML into MySQL database

related questions