storing html in mysql
i've searched everywhere without a definitive answer...
how can you store embed codes (youtube, slide, google video, rockyou, etc) in mysql through a form?
would you use
- any validations?
- anything else?
Just don't want any injections...
Embed codes are just strings; mysql_real_escape_string() is all that's necessary to insert them into any string type column in a database. Whether you need to do any input cleaning or validation doesn't depend on what the content is but where it's coming from -- is this user-submitted? If so, why, considering you should be able to produce the embed code yourself given the unique identifier of whatever you're embedding.
I would use a combination.
Another thing you can do is to encode the entire string before you put it in the database. Use base64_encode to encode the entire string, and then it is completely safe. It uses a little more space and server resources, but for most websites it wont cause any noticeable delay or other problem.
if you use mysql_real_escape_string(), base64_encode() is not needed at all.
Originally Posted by jestep
If it's user submitted you could also just ask for the URL and the site, and then assemble the embed code with a template matched to that site's conventions. You then have complete control over markup.
This is the best solution. Validate that it's an actualy url, and or run mysql_real_escape_string() on the url variable. This way you can create your own 'template' for any type of media it is.
Originally Posted by Hammer65