stackoom
  简体   繁体   中英

Best practice for storing HTML in mysql DB

 原文  2019-01-11 01:03:49       php/ html/ mysql/ markdown/ htmlpurifier

Question

I'm working on a mini blog which allows users to add a post using a WYSIWYG editor to the site therefore I will be storing this post in my DB.

Having researched markdown I have come to the conclusion that it is not fit for purpose since I require local video uploaded which is why I am now planning on storing the HTML from the WYSIWYG editor into my DB.

I however do have some concerns regarding SQL injection and XSS attacks however I have researched a solution which is HTML purifier.

If I use HTML purifier to remove unwanted HTML tags is this then a safe solution to store the HTML in my DB?

3 answers

solution1
 4 ACCPTED  2019-01-11 02:57:06

Storing HTML in the database is not intrinsically unsafe, any more than storing plain text is intrinsically unsafe. The risk of SQL injection is trivially mitigated by using prepared statements and proper placeholders. Escaping is neither necessary nor is it best practice for preventing SQL injection. Prepared statements are.

Conversely, XSS and other HTML-related vunerabilities have nothing to do with the database and everything to do with rendering HTML to viewers from untrusted sources. The same vulnerabilities would be there if the HTML were simply stored in files, with no database at all, so there is no need to protect the database from malicious HTML. The database has no knowledge of or vulnerability to what's contained in stored HTML content, because it doesn't render or interpret the HTML... again, as long as your database interactions use prepared statements. There are no acceptable justifications for avoiding those.

To exaggerate the point to an extreme, it would be perfectly safe to store files containing viruses as blobs in a database, because the database does not execute the data stored in it, as code. The vulnerability would be to the users downloading those viruses.

solution2
 0  2019-01-11 02:29:20

You can store html in sql... but escape them first.

See the example here...

http://php.net/manual/en/function.html-entity-decode.php

solution3
 0  2022-08-03 22:31:46

you can save html content in mysql field as "blob", before send de html content in the back you must use something function like base64_encode in PHP for example and then, you can get that content using base64_decode

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question What's the best practice method for storing raw php, javascript, html or similar in a mysql database? mysql database storing best practice for storing data, lots of small amounts or small amounts of large Best practice with storing images on server Best practice for storing settings for a website? Storing PHP Simple HTML DOM results to MySQL DB best practice in mysql? HTML - forms best practice Best practice. Do I save html tags in DB or store the html entity value? Best practice for storing global data in PHP? Best practice for database cross-value storing
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM