I wonder if there's any downside or bad practice in doing the following procedure:
$user_input -> htmlentities($user_input) -> mysql_escape($user_input) -> insert $user_input into DB
Select $user_input from DB -> echo $user_input
instead of doing the following:
$user_input -> mysql_escape($user_input) -> insert $user_input into DB
Select $user_input from DB -> echo htmlentities($user_input)
As we display the same $user_input on a lot of places it feels more efficient do to it on the input instead, are there any downsides / bad practice / exploit-ability in doing it this way?
Cheers!
Good replies to the question from:
#Matt: In general, to keep things readable and maintainable, try to store it as close to the original, unfiltered content as possible. It depends on two things:
Is any other person/program going to reference this data?
Does the data need to be easily editable?
#Sjoerd: There is a downside if you want to display the data as something else than HTML, e.g. a CSV download, PDF, etc.
It depends on two things:
Is any other person/program going to reference this data?
Does the data need to be easily editable?
The advantage of method one is that, in the case that the data is used in one place, and htmlentities() would be called every time, you'd be saving this step.
However, this would only leave a notable improvement if the HTML data is very large. In general, to keep things readable and maintainable, try to store it as close to the original, unfiltered content as possible.
In fact, you might find that HTML is the wrong thing to store anyway. It might be better to store something like Markdown and simply convert it to HTML when viewed.
I'd advice against it. If you ever need that data for anything other than displaying it as HTML (display in console, send in text email, write to log, etc) , you'll have to convert it back.
A good practice is to apply such transformations only at the last moment. Use mysql_escape before inserting into the database, use htmlentities (or htmlspecialchars) before displaying as HTML. That way you always know where your escape functions should be. If they're not there, you can easily tell you're doing something wrong. You also know that data in the database is always clean and you don't need to remember if you encoded it, what with and how to turn it back.
There is a downside if you want to display the data as something else than HTML, e.g. a CSV download, PDF, etc.
Related
I validate and sanitize all my data before inserting it into the database. Would it be considered a good or a redundant pactice to validate it when pulling it form the database before displaying it?
This boils down to how much to trust your own code. On one extreme, I could forgo the validation completely if I knew that onlyI would use the client-side interface and would never make a mistake. On the other, I could validate data in every class in case I'm working with others and they forgot to properly do their job. But what's a generally good practice in this particular case?
Input validation should be a yes/no proposition. You should not modify input and save it.
You should use Htmlentities after pulling from the DB and before showing. This is because it's better to clean data just before using it at the point of failure. This is why prepared statements work so well, because there is no external code you rely on.
Say you forget to sanitize 1 field in 1 form, then when you ouput that data to other users you have no way to see that mistake from the code that does the output (assuming its not in the same file).
The less code between the sanitizing and the end result is better.
Now that is not to say save everything and validate it later. Take an email for example, you should validate that for the proper format before saving.
But for other things you don't want to modify user input. Take a file upload. Some people will change the filename to sanitize it, replace spaces etc. This is good but I prefer to create my own filename, and then show them the origainal file name, while the one I use on the server is a hash of their username and the name of the file. They never know this, and I get clean filenames.
You start modifying user data, and it becomes a chore to maintain it. You may have to un-modify it so they can make edits to it... etc. Which means you are then doing way more work then if you just clean it when outputting it.
Take for example the simple act of replacing a users \n line returns with a <br> tag. User inputs into a text field then you change it to html and save it. (besides security reasons not to do this) when user wants to edit the data, you would have to take the <br> and replace them with \n so they can edit it. Security reasons being now you have decided that raw HTML in that field is ok and will just output the raw field, allowing someone a possibility to add their own HTML. So by modifying user data we have created more work for yourself, and we have made assumptions that the data is clean before inserting it when we output it. And we cannot see how it was cleaned when we output it.
So the answer is it depends on the data and what sanitation you are doing.
Hope that makes sense.
I guess there is not need of validating or sanitizing the data from the db as you are doing it before inserting
A attacker always plays with the data which he is sending to the server and just analyis the data coming as a response . They plays with input not with the output.So just secure your data before sending it to server or db .
I'm trying to realize a dynamic website for exercise. All contents are stored in the database:
I included html code(FORMS) as DB content with no ploblem, but when i try to insert php code as DB content nothing happens. The field type for Content is TEXT.
I tryed various ways :
INSERT INTO TableContent(Name_Content, Content, ID_Menu) values ("Amministration Area", "<?php include('LogIn.php')", 5);
INSERT INTO TableContent(Name_Content, Content, ID_Menu) values ("Amministration Area", "<?php include(\"LogIn.php\")", 5);
In the website page i see Amministrazion Area, but not what Login.php does.
I thought i made a mistake in Login.php page code so i changed it in a simply echo ("Hi"); but nothing appears anyway. I see only the text Amministration Area.
How can i solve it ?
It's just text! Text in a database. Nothing happens when you just insert text into a database and read from it. You have to actually get something to execute that text as PHP code. That doesn't happen automatically, thankfully! In PHP, the way to execute arbitrary strings as code is by using eval. But this is overall a very bad idea; storing all PHP code in a database is not making anything easier, on the contrary it makes everything more difficult to work with and more prone to exploits if you execute arbitrary code. I'd advice you to stop doing that and go back to PHP code in .php files, not databases.
PHP see <?php include("LogIn.php");? as a string, when you look in the source code of your file, you'll probably see it. It doesn't show up on screen because it starts with a <.
To execute the code instead of handling it as a string, you can use the eval() function.
You however don't want every row of your database be seen as PHP code, so you'll probably need to add a extra column that defines what the row is, i.e. a string, php code. Or you make an extra table where you store your includes.
I have a webpage that the user inputs data into a textarea and then process and display it with some javascript. For example if the user types:
_Hello_ *World* it would do something like:
<underline>Hello</underline> <b>World</b>
Or something like that, the details aren't important. Now the user can "save" the page to make it something like site.com/page#_Hello_%20*World* and share that link with others.
My question is: Is this the best way to do this? Is there a limit on a url that I should be worried about? Should I do something like what jsfiddle does?
I would prefer not to as the site would work offline if the full text would be in the hash, and as the nature of the site is to be used offline, the user would have to first cache the jsfiddle-like hash before they could use it.
What's the best way to do this?
EDIT: Ok the example I gave is nothing similar to what I'm actually doing. I'm not cloning markdown or using underline or b tags, just wanted to illustrate what I wanted
Instead of trying to save stuff in the URL, you should use the same approach that is common in pastebins: you store the data , can provide use with url, containing an unique string to identify stored document. Something like http://foo.bar/g4jg64
From URL you get state or identifiers, not the data.
URLs are typically limited to 2KB total, but there is no officially designated limit. It is browser-dependent.
Other than that, make sure you properly URL encode what you're putting up there, and you're fine... although I certainly would not want to deal with obnoxiously long URLs. I might suggest you also avoid tags such as <underline> and <b>, as they have been deprecated for a very, very long time.
Use javascript function:
encodeURIComponent('_Hello_ *World*');
I have an HTML table with contents, I would like to have an feature of Edit/Delete to that table. How do I do it with PHP?
I actually think that this sounds more like a job for JavaScript, which can edit/remove rows on-the-fly and with much less code. (Implement some AJAX too, and you can edit/remove rows in database too).
But if you insist on using PHP, you might just want to add some GET parameters to the Edit/Delete links that would delete or edit those rows.
Well, there is a pure PHP way to do it, and then there is a combination of Javascript and PHP. You must use PHP one way or another if you want your changes to the database to be permanent as that is your gateway to communicating with the database (as far as I know you cannot do that with Javascript as that is client-based and runs entirely in your web browser).
If using just PHP, you must generate HTML documents for each change. E.g., you click on one cell in the table and that gets you to a new HTML page where the field is editable through an input element; or you can list all fields at once for that row and edit them all at the same time. The fields are then posted in a form to a PHP page which will take the new values and update the database (or insert new values or however you wish it to behave). Here's a tutorial for how to do this:
http://www.freewebmasterhelp.com/tutorials/phpmysql/1
You can also mix in some Javascript which allows a more interactive interface to modifying the values in a cell. However, this obviously requires more code and may be overkill for what you're trying to do. Nonetheless, here is a link which demonstrates just that and also shows the code:
http://www.java2s.com/Code/JavaScript/GUI-Components/Editabletablecell.htm
Hope this is what you're looking for.
EDIT:
Forgot that you also wished to delete content in the table. That is also explained in the first link.
If you intend to work with databases, and it seems like you have little understanding of how they work, pick up a good book like: SQL - The Complete Reference. When you have enough knowledge of SQL, look at PHP's PDO extension: http://php.net/manual/en/book.pdo.php
I am working on building a small php/mysql script that will act something like a wordpress blog but will just be a small site for my eyes only to store PHP code snippets. So I will have categories and then pages with sample code that I write with a javascript syntax highlighter. Instead of storing my php code snippets in the file I am wanting to save them to mysql DB. So what is the best way to save PHP into mysql and to get it out of mysql to show on the page?
My end result will be something like this
alt text http://img2.pict.com/c1/c4/69/2516419/0/800/screenshot2b193.png
Update:
I just wasn't sure if I needed to do something special to the code before sending it to mysql since it has all different kinds of characters in it
Just store in a text field, as is. Not much more beyond that.
If you're not using some kind of database abstraction layer, just call mysql_real_escape_string on the text.
Do you want to be able to search the php code? If so, I recommend using the MyISAM table type as it supports full text indexes (InnoDB does not). Your choices for column type when it comes to a fulltext index are char, varchar and text. I would go with text as your code snippets might get too long for the other types.
Another point worth mentioning, is make sure you properly escape all php code (or any value for that matter) before you insert it. The best way to do this is by using parameterized queries.
Unless I'm missing part of the problem, you should be safe storing it as a TEXT field in a MySQL database. Just make absolutely sure you sanitize the code snippets, as PHP code in particular is quite likely to contain the characters that will escape out of an SQL string. (If you're already using an SQL framework, odds are the framework is doing this for you.)
Store as text (varchar) in the database.
Use cascading style sheet (css) to format code.
http://qbnz.com/highlighter/
Try this:
mysql select ...
eval('?>' . $row['phpcode'] . '<?php ');