Correct sequence of actions when using Markdown & MySQL?

Question

I want my users to be able to write an article in Markdown, have it stored in the MySQL database (with the option to edit it in the future), and displayed for other users.

In practice, this is my understanding of how it works:

INPUT

1. user input via HTML form using Markdown syntax
2. $queryInput = mysql_real_escape_string($userInput);
3. insert sanitized string into database

OUTPUT

1. query field from database
2. $output = Markdown($queryResult);
3. display $output

Is that it?

Does PHP Markdown preclude the need for htmlspecialchars or Pure HTML ?

Thanks!

Answer 1

I dunno what this Markdown is, but yes, in case user input being displayed in the browser, it should be sanitized using htmlspecialchars.

Answer 2

I evaluated the use of markdown in PHP some weeks ago (and decided not to use it, by the way). My thoughts:

• It might not be a good idea to run the markdown parser each time the output is rendered - parsing the comment is quite expensive and the usual blog comment (as an example) is far more often read than written. You should run the markdown parser BEFORE saving the user input into the database!

• Now the really tough problem: Markdown does not do any security checks by itself. All xss attacks are happily passed through. If you now think "no problem, I'll just strip_tags right after getting the user input", think again: it is quite possible that markdown creates the tags containing the XSS while processing the user input. So, you have to check the HTML code created by markdown for security problems - a very hard task which is very error prone. (That was the reason for not using it in my case - the benefit had no good ratio to the potential costs)