tags:

views:

281

answers:

5
+2  Q: 

Best practice. Do I save html tags in DB or store the html entity value?

Hi Guys,

I was wondering about which way i should do the following. I am using the tiny MCE wysiwyg editor which formats the users data with the right html tags. Now, i need to save this data entered into the editor into a database table.

Should I encode the html tags to their corresponding entities when inserting into the DB, then when i get the data back from the table, not have the encode it for XSS purposes but I'd still have to use eval for the html tags to format the text.

OR

Do i save the html tags into the database, then when i get the data back from the database encode the html tags to their entities, but then as the tags will appear to the user, I'd have to use the eval function to actually format the data as it was entered.

My thoughts are with the first option, I just wondered on what you guys thought.

+4  A: 

I would suggest storing the data in the database in as close to it's "natural" form as possible. Generally your database layer should not be concerned with whether a field contains HTML, Base64 Encoded Binary text, or just plain text. These are concerns for your view layer, when it decides how to render the content.

Thus, while you might want to do some preliminary screening for XSS attacks before you insert into the database, you should always screen for XSS before you send "untrusted" information to the browser.

This also has the advantage that if your XSS prevention algorithms improve in the future, you can implement it across your entire application just by changing the routines that display it, instead of having to scan your database for fields that might contain HTML, and then update them.

Adam N  2010-05-05 22:51:43
Also, consider if you need to send plain text e-mails or view the data in other ways. If your database is normalized to your HTML view, then other conversions may be awkward and you'll always be wondering which encoding it's in. Your view can always do caching if performance is a concern.
konforce  2010-05-05 23:11:39
+2  A: 

Neither. You store the HTML "as-is" so when you pull it out its ready fro rendering. You chouldnt be converting back and forth. What you put in should be what you display. What you want to do is filter the input before you put it into the DB. both tinyMCE and ck/fckEditor have facilities to limit the tags that can be used in an editor and it will strip those tags for you. Then you jsut need to perform any other necessary validation or formatting.

prodigitalson  2010-05-05 22:52:05
when you say "filter the input", can you just clarify what you mean?
phpNutt  2010-05-05 22:55:18
I want to make my application as secure as possible and thought that by converting tags to their html entities using the htmlentities function would be a step towards making it more secure.
phpNutt  2010-05-05 22:56:00
@matt: on its way in you want remove forbidden tags, correct invalid markup, etc.. then on he way out you might apply a filter to perform transformations, extra xss filtering, etc.. before its displayed. but you want whats in the db to be the baseline markup as Adam N, brian_d and Earlz suggest in thier answers.
prodigitalson  2010-05-06 01:46:53
+1  A: 

I would just check for SQL injections when inserting into the database and leave the html as is, in it's "raw" form.

I know that drupal does this and applies filters (eg. all html tags (no filter), certain tags only, xss filter, php code format, tokens, etc) on the fly. An advantage to this approach is that you don't destructively modify your input data if you want to change the filter used later.

brian_d  2010-05-05 23:03:55
+1  A: 

When I first started my blog, I decided I would convert from BBCode to HTML (and do sanity checks) and then put it in the database. Well, a month rolls by and turns out I had a layout issue. Now that my old HTML is "fixed" in the database, I soon learned that you should always store the initial text the user uses in the database and then convert it later in a request.

This makes it so you can fix bugs with HTML and XSS and it be retroactive.

Earlz  2010-05-05 23:39:31
A: 

One possibility is to store both the sanitized version and the original version. I use this with HTMLPurifier to avoid the performance problems that are created by live sanitization, while still allowing users to edit their content in its original form.

Needless to say it will take double the storage space but usually space isn't as much of an issue as speed and control.

Lotus Notes  2010-05-06 00:17:00

related questions

IDE suggestions: Eclipse IDE vs. Zend Studio ( confused )
MySQL/Apache Error in PHP MySQL query
Lightweight IDE for Linux
What PHP framework would you choose for a new application and why?
Why is my ternary expression not working?
How can I get at the matches when using preg_replace in PHP?
Mechanisms for tracking DB schema changes
Wordpress theme development offline tools
Using object property as default for method property
How can I get the authenticated user name under Apache using plain HTTP authentication and PHP?
Make XAMPP/Apache serve file outside of htdocs
How do you debug PHP scripts?
PHP Variables passed by value or by reference?
Best way to implement unit testing in PHP
Connect PHP to an AS/400
Best way to access Exchange using PHP?
PHP Session Security
How do I access a remote form in php?
What's the best way to generate a tag cloud from an array? (using h1 through h6 for sizing)
Apache/PHP: error_log per Virtual Host?
How do I track file downloads with apache/PHP
How would you access Object properties from within an object method?
Flat File Databases in PHP
Best way to allow plugins for a PHP application
Latest information on PHP upcoming releases