Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

100% safe way of storing html in MySQL [closed]

Tags:

html

php

mysql

code-injection

I'm working on a project where the public (so everyone) is allowed to insert HTML through TinyMCE for their own project page. Since everyone is allowed to use this feature, I need a 100% safe way of inserting the TinyMCE output into my database, and showing it on another page just as it was inserted by the user.

XSS, SQL injection and all that other crap is not what I want on my new website! I could do htmlentities -> htmlspecialchars and later on use htmlentities_decode, but is this 100% safe, and it is the best way of doing it?

like image 569
Basaa Avatar asked Jul 21 '12 11:07

Basaa

2 Answers

SQL injection is in most cases easily avoided with the use of prepared statements.

XSS is more difficult if you're planning to allow users to post HTML markup. You need to remove all <script> tags, all on* attributes from tags, all javascript: urls, and even then that's probably not fully guaranteed to make the input HTML safe. There are libraries such as HTMLPurifier that can help, but so long as you allow HTML, you're at risk of letting something malicious through.

You could use a library that implements something such as markdown or wikitext instead. This severely limits what users can enter, whilst still letting them mark the content up to an extent. It's not fullproof (people can still just post links to malicious sites and hope users click through to them,which some will be naive enough to actually do), and you'll not be able to use a rich editor such as TinyMCE without some sort of plugin, but it's a much simpler job to sanitize markdown than it is to sanitize HTML.

like image 93
GordonM Avatar answered Sep 23 '22 23:09

GordonM

It is not doable. You think to filter so that's a good point but in the end it won't be possible to lock it down totally if you accept html. Take a look at things like bbcode, markdown etc. to see some alternatives.

If you decide to accept HTML code it's not just filtering what needs to be done, even encodings can generate serious security issues. Search for UTF-7 for example to see what kind of issues. See some examples here: http://www.webappsec.org/projects/articles/091007.txt

like image 30
Luc Franken Avatar answered Sep 24 '22 23:09

Luc Franken
Sign in to Comment

Related questions

Ember.js with PHP
Is Propel's fromArray/fromJSON feature safe from SQL injection?
PHP: Error thrown when including and requiring files
svg to image on demand
Comparing array of keys of associative array to integer indexed array
Issue with PHP array where keys are large integers
Can't use ini_set because session is active
How do I load a SVG file that's been generated with PHP?
Saving line breaks with preg_replace
Code injection vulnerability by echo-ing $_POST vars?
How can I modify content type of uploaded file in php?
Instantiating class method without instantiating the class in PHP no longer possible?
Linux timestamp to PHP
How can I execute remaining php code after calling "exit"?
How do I check if a longitude/latitude point is within a range of coordinates?
Understanding user permissions and how to apply it
Opening jQuery UI Dialog box with dynamic content
How to secure the use of a PHP script that triggers emails?
preg_replace: how to?
PHP File Upload in Sharded Server Configuration

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!