Jump to content
Larry Ullman's Book Forums

Recommended Posts

Hello Larry and Hello Community,

I bought book php and mysql for dynamic web sites in english from USA since i didn't see it in my native language.

 

I gave a look all book for make general feeling and then i will read better and careful example and teching suggestions.

 

Book is very very good in my opinion.

 

My question is about what is best techinque to store html inside mysql database.

 

I'm studying a bit how work CKeditor, but i think many html editor work more or less in same way, and it use a textarea to collect the html, so what you really need to do after a submit or similar processes is simply get the value of texarea and use php to store html in database.

 

I'm asking how handle security, quote and double symbols or other problems.

 

If i have understand i can use directly mysql_real_escape when i get textarea, simply before send html inside mysql or i can use prepared statement and in this case i think i can't use mysql_real_escape so i need pheraps to use htmlentities.

 

I'm a little confuse about conflict you could have use both htmlentities, prepared statement, mysql_real_escape, etc..

 

I'm not exactly sure how i is best way general speaking in term of 100% secutiry and in term or not ruin html inside mysql and also i'm not sure what is procedure to make the contrary, i mean get html from mysql and serve i in page.

 

Thanks very much.

 

Andrea

 

Link to comment
Share on other sites

Thanks for the nice words, Andrea! Really appreciated. 

 

It sounds like you're on the right path. I would start by performing a minimum of validation in your PHP code upon submission. For example, if the content provided includes

 

Next, use prepared statements or an escaping function when inserting or updating the record in the database. So you're storing the HTML as provided, but preventing SQL Injection attacks.

 

Finally, there's the issue of outputting the HTML in the browser. You don't want to use htmlentities() there, presumably, because you want to use the actual HTML. However, you don't want to just output it without any safety measures. After fetching the HTML from the database, I'd recommend running it through strip_tags(), providing as the second argument the list of tags that should be allowed. 

Link to comment
Share on other sites

Larry i need another little help for my little amatour project

 

I know exist danger someone in a input text field write html code for example javascritp, and i know someone can write sql code for inject your database, this is reason you need to filter, check, valdate, prepare statement and use all technique that professionists people teach you

 

but, in theoric question, supposing i use nothing for good security, is it possbile to write in a input text php code and use it to create problem your site (for example i imagine submit a form where someone write a scritp in php that make a scandisk of a folder)?

 

i made some test and don't seem possbile do it, i also tried to look at in internet and i didnt' see it (but sometimes is not simple google something because you don't know english perfectly well or you don't know specific name of something) i ask to convalidate this impression and if is possbile know why is not possbile inject php code since i dont' get very well

 

Thank Larry your help and patience

Link to comment
Share on other sites

What you want to do is think about how malicious code is executed. SQL injection attacks are dangerous because user-submitted values are added to a query run on a database. Storing and displaying (in an HTML page) user-submitted values are dangerous because JavaScript is executed simply by being part of a web page. 

 

With PHP code, that code is dangerous when it's executed. That means hard-written in a PHP script and then executed or run through a PHP function like exec(). You never want to run user-submitted values through exec(). So you're pretty safe in that area if you never do that.

 

You should also be careful when fetching a file from the server and sending that to the user (through the browser). You have to put in checks to make sure you're not carelessly making any file available for download.

Link to comment
Share on other sites

I think i get.

 

Recently i'm using ajax call to generate some html page and i started to get datas from a php file,

I noticed that the javascript inside the php file didn't work, so i moved the javascritp in the main html page that run the ajax call.

Probably you need to execute the javascript if you want it to work.

 

This is better to me since i'm concerned security.

 

I think i can start my project, i have some other points to take care as not allow upload all kind of files in the file system manager (this is in the documentations, i need only to read well and test door i can leave open) i can't go out of the root in this project (i have sort of little public folder space) so i thought to create backend application inside a folder with alphanumeric name impossibile to get and not use a directly password and username access in the index page (you need to know where is the url of backend), then i will create username and password in this hidden page (i can do it since is projject for 3/4 users).

 

All other things i see are in the book (about best way use password security, about cookie or session, etc.. )

 

About mysql injection i think I get and it's all written in the book

 

I think i'm ready to start write something without worry a lot about security (that is topic i confess I don't like very much, but it's very important study)

 

Thanks Larry again your very important help to learner

Link to comment
Share on other sites

 Share

×
×
  • Create New...