tags:

views:

39

answers:

1
Q: 

What's the best practice method for storing raw php, javascript, html or similar in a mysql database?

The example web page has 2 fields and allows a user to enter a title and code. Both fields would later be embed and displayed in an HTML page for viewing and/or editing but not execution. In other words, any PHP or javascript or similar should not run but be displayed for editing and copying.

In this case, what is the best way to escape these fields before database insertion and after (for HTML display)

A: 

You need to use the function htmlspecialchars() in php

that will change any special characters (eg < and >) into their special HTML encoded characters (eg &lt and &gt). When you get these from the database and output them as HTML they will display as code, but won't harm your script or execute.

Thomas Clayson  2010-10-13 18:52:20
So, you recommend escaping everything before database insertion and then just displaying it to HTML?
Andres  2010-10-13 19:26:38
@Andres: his suggestion of encoding special characters is not the same as escaping. BTW, I don't recommend encoding as this puts you in a situation where you can potentially double-encode. There is no reason you can't insert the data without encoding. You can always filter and/or encode on the way out.
wilmoore  2010-10-13 23:34:15
@wilmoore thanks. I also considered encoding on the way out but quickly realized the potential problems that can occur if a programmer forgets to encode before displaying the data. At the moment, I'm using php like mysql_real_escape_string(htmlspecialchars( $data )) where $data is the code, before inserting to the database.
Andres  2010-10-15 15:07:43
@Andres: Generally, one would allow the model to handle the encoding on the way out ($model->getTitle()). The "getTitle" method would by default encode, or you can pass "false" to get it back un-encoded. This way, you are guaranteed to have an encoded result (or not if you choose in a particular context). This also protects you from double-encoding.
wilmoore  2010-10-15 21:17:17

related questions

Remove Quotes and Commas from a String in MySQL
What's the best way of converting a mysql database to a sqlite one?
How do you manage databases in development, test, and production?
Multiple foreign keys?
Add 1 to a field (MySQL)
Issues using MS Access as a front-end to a MySQL database back-end?
Bigger than a char but smaller than a blob
How do I retrieve my MySQL username and password?
Long-time LAMP Developer moving to VB.NET
How do I Concatenate entire result sets in MySQL?
Full complete MySQL database replication? Ideas? What do people do?
SQL: Distribution of table in time
SQLite vs MySQL
How do I create a new Ruby on Rails application using MySQL instead of SQLite?
Multiple Updates in MySQL
MySQL/Apache Error in PHP MySQL query
What all do I need to escape when sending a (My)SQL query?
Auto Generate Database Diagram MySQL
Mechanisms for tracking DB schema changes
How big can a MySQL database get before performance starts to degrade.
Python and MySQL
SQL Server 2005 implementation of MySQL REPLACE INTO?
How to export data from SQL Server 2005 to MySQL
Throw Error In MySQL Trigger
Binary Data in MySQL