September 12th, 2013, 10:28 AM
Entering HTML formatted text into database
How do I store all the html formatting into a database that is safe from mysql injection?
I have an inbuilt editor, TinyMCE that sends formatting details to the page that is displaying the text. It displays all the text correctly according to formatting that is put into the page that processes the text, but I heard inputting html tags can cause XSS attacks. Is this true? If so, how do I store all the formatting of the text into a database?
September 12th, 2013, 11:21 AM
xss attacks have nothing to do with data going into database but rather being outputted to the screen!
as long as you use PDO's parameterise version, you should be safe.
only at the point of outputting the data, you would use something like html_entities.. however this can get a bit tricky as it will also change the formatting of the user for example if i typed
html entities would turn <p> into <p>p..
unless you can control which characters can be html_entitied. ie in this case you would want just the script.
Doesnt TinyMCe already disallow such code? if it does then you dont need HTMLentity or anything
September 12th, 2013, 11:42 AM
I don't know much about the TinyMCE editor other than I've just installed into my code
September 12th, 2013, 01:17 PM
What TinyMCE allows or disallows is ultimately irrelevant. You have to assume that a hacker could bypass it altogether and perform the POST manually, sending HTML even if TinyMCE wouldn't.
Originally Posted by paulh1983
What would probably be needed here is a good validation flow, looking specifically for dangerous tags like <script>.
Originally Posted by cssbonding
Needless to say, accepting full HTML for later display adds a lot of risk because, unlike other, more precise user input, you can't just throw it through htmlentities() and call it a day.
When I began to build my own forum software I idealistically wanted to support full HTML input due to the flexibility, but ultimately decided it wasn't worth the risk.
That said, TinyMCE has a BBCode plugin you can use to deal in those tags rather than HTML tags. Then, when you go to output the contents, you can escape it properly then convert the BBCodes to their HTML counterparts.
There are PHP libraries out there that handle BBCode conversions. I've used one myself, though I can't recall its name off-hand.
Last edited by dmittner; September 12th, 2013 at 01:20 PM.