#1
  1. Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Nov 2012
    Location
    On planet earth
    Posts
    101
    Rep Power
    11

    Entering HTML formatted text into database


    How do I store all the html formatting into a database that is safe from mysql injection?

    I have an inbuilt editor, TinyMCE that sends formatting details to the page that is displaying the text. It displays all the text correctly according to formatting that is put into the page that processes the text, but I heard inputting html tags can cause XSS attacks. Is this true? If so, how do I store all the formatting of the text into a database?
  2. #2
  3. No Profile Picture
    Contributing User
    Devshed Loyal (3000 - 3499 posts)

    Join Date
    Dec 2004
    Posts
    3,015
    Rep Power
    376
    xss attacks have nothing to do with data going into database but rather being outputted to the screen!

    as long as you use PDO's parameterise version, you should be safe.

    only at the point of outputting the data, you would use something like html_entities.. however this can get a bit tricky as it will also change the formatting of the user for example if i typed

    Code:
    <p>Hello</p> <script type='text/javascript'>alert(cookies)</script>
    html entities would turn <p> into &lt;p&gt;p..

    unless you can control which characters can be html_entitied. ie in this case you would want just the script.

    Doesnt TinyMCe already disallow such code? if it does then you dont need HTMLentity or anything
  4. #3
  5. Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Nov 2012
    Location
    On planet earth
    Posts
    101
    Rep Power
    11
    I don't know much about the TinyMCE editor other than I've just installed into my code
  6. #4
  7. No Profile Picture
    Dazed&Confused
    Devshed Novice (500 - 999 posts)

    Join Date
    Jun 2002
    Location
    Tempe, AZ
    Posts
    506
    Rep Power
    128
    Originally Posted by paulh1983
    Doesnt TinyMCe already disallow such code? if it does then you dont need HTMLentity or anything
    What TinyMCE allows or disallows is ultimately irrelevant. You have to assume that a hacker could bypass it altogether and perform the POST manually, sending HTML even if TinyMCE wouldn't.

    Originally Posted by cssbonding
    I don't know much about the TinyMCE editor other than I've just installed into my code
    What would probably be needed here is a good validation flow, looking specifically for dangerous tags like <script>.

    Needless to say, accepting full HTML for later display adds a lot of risk because, unlike other, more precise user input, you can't just throw it through htmlentities() and call it a day.

    When I began to build my own forum software I idealistically wanted to support full HTML input due to the flexibility, but ultimately decided it wasn't worth the risk.

    That said, TinyMCE has a BBCode plugin you can use to deal in those tags rather than HTML tags. Then, when you go to output the contents, you can escape it properly then convert the BBCodes to their HTML counterparts.

    There are PHP libraries out there that handle BBCode conversions. I've used one myself, though I can't recall its name off-hand.
    Last edited by dmittner; September 12th, 2013 at 02:20 PM.
    LinkedIn: Dave Mittner

IMN logo majestic logo threadwatch logo seochat tools logo