I need to store user's signature (ie the thing at the bottom of a forum post) and am not sure how to, I could use text to store the html, but I think there are probably better solutions.
I see no sense in this question.
What's so special with this particular field?
Is it the only one field in this database?
if no - why it's only one raised such a question?
Why not to determine first, what field length will suit you, and then choose appropriate field type according to documentation?
A text field is OK for that. You could use a big varchar field also. But you will have to check and inform your user that there is a limit on the size of his/her signature (which is fine).
A text field is probably the best. If you are worried about the "structure" of the signature, you may use the nl2br() function in PHP, which will convert any new line character stored in the field into the HTML <br/>.
Related
Hi I am trying to validate some user input and I'm not sure what is the correct way to go about it.
I want to validate first name and last name fields for a user creation form. I am using PHP with the Zend framework so I will be writing a validator. After doing some research I think I should really be allowing all UTF8 characters, with no spaces at beginning or end. I'm not sure on the regex but I can find that out later, I will most likely be using php's preg_match.
I'm storing these details in OpenLDAP using the sn field for surname and the givenName for firstname. How should I be restricting the names? Is there a limit to the length in OpenLDAP, do I need to check the characters it accepts or does it accept all characters?
Should I even validate the first name and last name or should I just let the user input what they want?
I am using a separate field for username which will consist of "text.text", text being A-Za-z chars.
I'm not posting code as I just a need a bit of guidance, not really sure whats the best practice here.
Validating names is a bad idea. There are no universal rules for what is allowed in a name, especially when you want to allow non-western text as well.
This presents a challenge when it comes to LDAP, since there is no guarantee that the directory will understand the charset of the user input. There is an easy solution to this though: base64_encode() the values before storing them in LDAP, and base64_decode() them on the way out.
There is no need to validate the names. The directory server schema specifies the syntax of all attributes, including givenName, and sn. The server will properly encode any names that are presented. If a DirectoryString value begins or ends with a space, the server will base64 encode the value for storage.
Though there is a practical limit, LDAP clients should not assume that servers have the capability of enforcing the non-zero length of an attribute value. Some attributes syntaxes are defined to be non-zero in length (such as DirectoryString), but no upper limit is defined, therefore, clients should not assume the server enforces an upper limit.
see also
LDAP: Syntaxes and Matching Rules
How to best choose a size for a varchar/text/... column in a (mysql) database (let's assume the text the user can type into a text area should be max 500 chars), considering that the user also might use formatting (html/bb code/...), which is not visible to the user and should not affect the max 500 chars text size...??
1) theoretically, to prevent any error, the varchar size has to be almost endless, if the user e.g. uses 20 links like this (http://[huge number of chars]) or whatever... - or not?
2) should/could you save formatting in a separate column, to e.g. not give an index (like FULLTEXT) wrong values (words that are contained in formatting but not in the real text)?
If yes, how to best do this? do you remember at which point the formatting was used, save this point and the formatting and when outputting put this information together?
(php/mysql, java script, jquery)
Thank you very much in advance!
A good solution is to consider in the amount of formatting characters.
If you do not, to avoid data loss, you need to use much more space for the text on the database and check the length of prior record before save or use full text.
Keep the same data twice in one table is not a good solution, it all depends on your project, but usually better it's filter formating on php.
We use UUIDs for our primary keys in our db (generated by php, stored in mysql). The problem is that when someone wants to edit something or view their profile, they have this huge, scary, ugly uuid string at the end of the url. (edit?id=.....)
Would it be safe (read: still unique) if we only used the first 8 characters, everything before the first hyphen?
If it is NOT safe, is there some way to translate it into something else shorter for use in the url that could be translated back into the hex to use as a lookup? I know that I can base64 encode it to bring it down to 22 characters, but is there something even shorter?
EDIT
I have read this question and it said to use base64. again, anything shorter?
Shortening the UUID increases the probability of a collision. You can do it, but it's a bad idea. Using only 8 characters means just 4 bytes of data, so you'd expect a collision once you have about 2^16 IDs - far from ideal.
Your best option is to take the raw bytes of the UUID (not the hex representation) and encode it using base64. Or, just don't worry much, because I seriously doubt your users care what's in the URL.
Don't cut a single bit out of that UUID: You have no control over the algorithm that produced it, there are multiple possible implementation, algorithm implementation is subject to change (example: changed with the version of PHP you're using)
If you ask me an UUID in the address bar doesn't look scary or difficult at all, even a simple google search for "UUID" produces worst looking URL's, and everybody's used to looking at google URL's!
If you want nicer looking URL's, take a look at the address bar of this stackoverflow.com article. They're using the article ID followed by the title of the question. Only the ID part is relevant, everything else is there to make it easy on the eyes of readers (go ahead and try it, you can delete anything after the ID, you can replace it with junk - doesn't matter).
It is not safe to truncate uuid's. Also, they are designed to be globally unique, so you aren't going to have luck shortening them. Your best bet is to either assign each user a unique number, or let users pick a custom (unique) string (like a username, or nick name) that can be decoded. So you could have edit?id=.... or edit?name=blah and you then decode name into the uuid in your script.
It depends on how you're generating the UUID - if you're using PHP's uniqid then it's the right-most digits that are more "unique". However, if you're going to truncate the data, then there's no real guarantee that it'll be unique anyway.
Irrespective, I'd say that this is a somewhat sub-optimal approach - is there no way you can use a unique (and ideally meaningful) textual reference string instead of an ID in the query string? (Hard to know without more knowledge of the problem domain, but it's always a better approach in my opinion, even if SEO, etc. isn't a factor.)
If you were using this approach, you could also let MySQL generate the unique IDs, which is probably a considerably more sane approach than attempting to handle this in PHP.
If you're worried about scaring users with the UUID in the URL, why not write it out to a hidden form field instead?
I am trying to figure out what is the best way to manage the data a user inputs concerning non desirable tags he might insert:
strip_tags() - the tags are removed and they are not inserted in the database
the tags are inserted in the database, but when reading that field and displaying it to the user we would use htmlspecialchars()
What's the better, and is there any disadvantage in any of these?
Regards
This depends on what your priority is:
if it's important to display special characters from user input (like on StackOverflow, for example), then you'll need to store this information in the database and sanitize it on display - in this case, you'll want to at least use htmlspecialchars() to display the output (if not something more sophisticated)
if you just want plain text comments, use strip_tags() before you stick it in the database - this way you'll reduce the amount of data that you need to store, and reduce processing time when displaying the data on the screen
the tags are inserted in the database, but when reading that field and displaying it to the user we would use htmlspecialchars()
This. You usually want people to be able to type less-than signs and ampersands and have them displayed as such on the page. htmlspecialchars on every text-to-HTML output step (whether that text came directly from user input, or from the database, or from somewhere else entirely) is the right way to achieve this. Messing about with the input is a not-at-all-appropriate tactic for dealing with an output-encoding issue.
Of course, you will need a different escape — or parameterisation — for putting text in an SQL string.
The measures taken to secure user input depends entirely on in what context the data is being used. For instance:
If you're inserting it into a SQL database, you should use parameterized statements. PHP's mysql_real_escape_string() works decently, as well.
If you're going to display it on an HTML page, then you need to strip or escape HTML tags.
In general, any time you're mixing user input with another form of mark-up or another language, that language's elements need to be escaped or stripped from the input before put into that context.
The last point above segues into the next point: Many feel that the original input should always be maintained. This makes a lot of sense when, later, you decide to use the data in a different way and, for instance, HTML tags aren't a big deal in the new context. Also, if your site is in some way compromised, you have a record of the exact input given.
Specifically related to HTML tags in user input intended for display on an HTML page: If there is any conceivable reason for a user to input HTML tags, then simply escape them. If not, strip them before display.
I have given en Entry Form to the user to input values that are stored in a MySQL table. There is one column called "Project Details", wherein the user can input upto 200 characters and this column is of type "varchar".
Till here everything is fine. The problem starts when the project details contain a number of points that are to be listed on the HTML page as:
(1) .........
(2) .........
(3) .........
It is unsure whether the project details is of one line, one paragraph, a simple text or a numbered list.
Is there any way to save the project details in rich text format in the MySQL table and when PHP shows the page of my website, the text gets listed as it was pasted?
If you want to store something like rich text format, you'll probably want to place it into a BLOB field: http://dev.mysql.com/doc/refman/5.0/en/blob.html which has no actual character set assigned to it
Can I ask though, why you would want to do that? Why not use one of the many rich text editors that convert your information into HTML (like tinyMCE), which from there you can store as-is or pass it through a Html->Textile filter or something similar.
You might want to consider using a simple markup language like Markdown or Textile. These allow you to take natural looking plain text, and then render it as HTML.
Failing that, you could simply display the text verbatim within <pre> tags.
If you are really using RTF, you might need is RTF-to-HTML-Converter, a quick search brought this: http://directory.fsf.org/project/rtf2html/ (untested). Is this what you meant?
What kind of code you store in a MySQL-Database is up to you, but a Varchar is probably not the best field type; you should consider changing it into a Text-field.
I encrypt using base64_encode() and to get I use base64_decode(). Tabs, spaces and special characters are preserved.
$statement->execute(array(':cemail' => $c_email,
':ctel' => $c_tel, ':msg' => base64_encode($c_msg)));
$msg = $rd['texe;];
$msg = base64_decode($msg)
Works perfectly for me
RTF is not the correct way to go because it's not interpreted correctly by webbrowsers.
You should use some markup language like Markdown, the one used here.