tags:

views:

74

answers:

3
Q: 

Converting back to HTML characters

A: 

http://us3.php.net/manual/en/function.htmlspecialchars-decode.php This is the answer to your problems.

I am not sure how you should store the HTML tags. Obviously you can't store them in their original form, and it is bloated to use them with special entities. I recommend instead linking to a file that can be accessed that holds the HTML in it.

OK, you can store them as such, but you should use http://us3.php.net/manual/en/function.addslashes.php this function, too.

I don't think it's efficient to store a large block of HTML in the field; I guess it depends on the size.

0x90  2010-10-03 03:14:02
0x90, why can't you store them in the original form? That's what I recommend. I don't think having a separate file for each string makes any sense.
Matthew Flaschen  2010-10-03 03:27:09
`addslashes` is not recommended. You should use prepared statements (e.g. `PDOStatement` or `MySQLi_STMT`), or a db-specific function like `mysql_real_escape_string`.
Matthew Flaschen  2010-10-03 17:39:16
A: 

I wouldn't recommend storing entities in the database at all. Even for a user field that was to be treated as plain text, I would escape it it immediately before output.

However, here, it seems you have a trusted HTML string (e.g. from a catalog). So just store it as:

V3008-02, WS1 Drain Fitting 1” Straight w/Silencer

or:

A 'quote' is <b>bold</b>

and dump it directly to output. There's no reason to use even &rdquo; because you should be able to include it directly with the Unicode encoding of your choice (e.g. UTF-8).

Matthew Flaschen  2010-10-03 03:30:57
A: 

The content should be stored in the database in the original form. For example: 

<p>this is a paragraph</p>

should be stored exactly as:

<p>this is a paragraph</p>

To make SQL injection impossible just escape the input strings with a proper escape function and sanitize your data (for example if it is supposed to be an integer, do an (int) cast). If you're using a framework this will be done for you by the database layer. I used to also do my own escape functions which are pretty easy to do.

Upon display in an HTML page one should use htmlentities (or for example Zend_View's escape method). There is no imminent reason why one would not accept storing special characters in the database as long as the database accepts them and the content is safely output to prevet XSS and such.

The idea behind my arguments is that content should be "exportable" for any platform/place. So if it's an HTML page you are going to use htmlentities(), if it's a CSV file you're going to use CSV exporting functions to process that text, etc.

Slavic  2010-10-03 18:01:41
"just escape the input" won't make SQL injection impossible
Col. Shrapnel  2010-10-03 18:06:09
Could you supply a way in which properly escaped data will still present an SQL injection risk? And perhaps then downvote...
Slavic  2010-10-03 18:12:54
`$id = mysql_real_escape_string($_GET['id']); $sql = "SELECT * from news WHERE id = $id";` then request `?id=1 UNION users etc`
Col. Shrapnel  2010-10-03 18:23:39
Thank you for your reply. That should perhaps help many people improve their code. I, however, still do not agree that my answer deserved a downvote. Here's the reason: when I escape my input I also mean that an Integer should have (int) cast which will make your SQL injection impossible in my code. Suppose we have a string, then the SQL would have the quotes around your $_GET['id] which again will render useless your attack.
Slavic  2010-10-03 18:41:28
`when I escape my input I also mean` well I am talking of the answer you wrote. I cannot know what do you *mean.* And your answer is just wrong and misleading one.
Col. Shrapnel  2010-10-03 18:59:23
My answer focused on how is data supposed to be stored. Not on what should be the proper data sanitization technique, which is what the questioner has requested.
Slavic  2010-10-03 19:02:49
You should've pronounced yourself either for or against storing data in its original form, rather than focusing on particular, mot-a-mot sentence.
Slavic  2010-10-03 19:05:16
Aren't comments especially for this?
Col. Shrapnel  2010-10-03 19:13:08
Comments - absolutely positively yes. Downvoting - no!
Slavic  2010-10-03 19:18:16
Too much concern for this silly feature :)
Col. Shrapnel  2010-10-03 19:24:55
If you say so. I used to think it was a way to quickly scheme through the replies and find the "right" answer.
Slavic  2010-10-03 19:27:14
It seldom reflect real answer's value. It's subjective by design. There are too few professionals around and too much enthusiasts, to expect anything valuable from these points. Tough I didn't touch this button until your recent comments. My note was plain and simple and I don't see any reason to argue it. Though if it bothers you too much you can make dummy edition to your question, so I'll be able to push it back
Col. Shrapnel  2010-10-03 19:52:04

related questions

Autosizing Textarea
Regular expression for parsing links from a webpage?
What are good tools for creating compiled HTML help files (.chm)?
Looking for WYSIWYG HTML editor
Any reason not to start using the HTML 5 doctype?
HTML comments break down
HTML Comments Markup
Setting a div's height in HTML with CSS
Wrapping lists into columns
Is a "Confirm Email" input good practice when user changes email address?
<XMP> Tag
HTML version choice
Options for HTML scraping?
How do you disable browser Autocomplete on web form field / input tag?
How do I make a checkbox toggle from clicking on the text label as well?
Html CSS Editor
Wordpress theme development offline tools
How do I give my web sites an icon for iPhone?
In HTML, how to word-break on a dash?
Detecting font in JavaScript
How do you test layout design across multiple browsers/OSs?
How do I print an HTML document from a web service?
Multiple submit buttons on a HTML form
How can I determine a web user's time zone?
Why doesn't the percentage width child in absolutely positioned parent work in IE7?