SitePoint Sponsor

User Tag List

Results 1 to 7 of 7
  1. #1
    SitePoint Addict
    Join Date
    Apr 2002
    Posts
    395
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Disable any html in mysql column

    I have a user-submission mysql which displays results on my page. The problem is that some nasty hackers submitted an iframe to a virus in the "name" field, which caused a lot of problems for me...

    So, I want to disable people inserting iframes into my database. I really want this done from mysql perspective rather than php.

    So, I want to have a column "name" which could only hold plain text elements. Any html tags would cause errors.

    Is there a way to do this?

  2. #2
    From Italy with love silver trophybronze trophy
    guido2004's Avatar
    Join Date
    Sep 2004
    Posts
    9,496
    Mentioned
    163 Post(s)
    Tagged
    4 Thread(s)
    I know you don't want to do it, but that's something you check in PHP

  3. #3
    Programming Since 1978 silver trophybronze trophy felgall's Avatar
    Join Date
    Sep 2005
    Location
    Sydney, NSW, Australia
    Posts
    16,812
    Mentioned
    25 Post(s)
    Tagged
    1 Thread(s)
    You should be validating user input. If what is entered is not valid for a field then it should be rejected and the user asked to re-enter it long before you try to do anything with it such as saving it in a database.

    Code:
    $error = '';
    
    if (validFieldX($_POST[fieldX']) {$fieldX = $POST['fieldX'];}
    else {$error  .= 'fieldX is invalid<br>';}
    // repeat above teo lines for all fields using an appropriate validation function 
    
    if ($error != '') {
    // redisplay the page with the errors
    } else {
    // only now should you be doing anything with the data that was input
    }
    Stephen J Chapman

    javascriptexample.net, Book Reviews, follow me on Twitter
    HTML Help, CSS Help, JavaScript Help, PHP/mySQL Help, blog
    <input name="html5" type="text" required pattern="^$">

  4. #4
    SitePoint Wizard
    Join Date
    Oct 2005
    Posts
    1,832
    Mentioned
    5 Post(s)
    Tagged
    1 Thread(s)
    Quote Originally Posted by IamAdam View Post
    I really want this done from mysql perspective rather than php.

    So, I want to have a column "name" which could only hold plain text elements. Any html tags would cause errors.

    Is there a way to do this?
    Database engines generally do not have ways of validating or removing HTML. The solution is simple: strip out HTML before you insert data into your database.

    http://php.net/manual/en/function.strip-tags.php

  5. #5
    SitePoint Member
    Join Date
    Sep 2013
    Posts
    1
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    You can validate the input using javascript/jquery. The further you let these values travel towards your application backend the more vulnerable your application can become.

    There are a couple of ways to do it:
    1. Use regular expression to check if name contains only alphabets or some other pattern
    2. Remove '<' and '>' or replace them with &lt; and &gt; before saving. These characters (<,>) cause the browser to treat mischievous form inputs as html elements. This way the browser will treat them as plain text instead even if you store it in your database.

    For PHP based validation, you can check out htmlspecialchars() function:
    http://www.w3schools.com/php/php_form_validation.asp
    Ubiq - Easily create reports from MySQL data

  6. #6
    Programming Since 1978 silver trophybronze trophy felgall's Avatar
    Join Date
    Sep 2005
    Location
    Sydney, NSW, Australia
    Posts
    16,812
    Mentioned
    25 Post(s)
    Tagged
    1 Thread(s)
    Quote Originally Posted by Ramy31 View Post
    You can validate the input using javascript/jquery. The further you let these values travel towards your application backend the more vulnerable your application can become.

    There are a couple of ways to do it:
    1. Use regular expression to check if name contains only alphabets or some other pattern
    2. Remove '<' and '>' or replace them with < and > before saving. These characters (<,>) cause the browser to treat mischievous form inputs as html elements. This way the browser will treat them as plain text instead even if you store it in your database.

    For PHP based validation, you can check out htmlspecialchars() function:
    http://www.w3schools.com/php/php_form_validation.asp
    Any JavaScript/jQuery validation MUST be repeated on the server. If you don't then you effectively have no validation as anyone can turn off the client side validation.
    Stephen J Chapman

    javascriptexample.net, Book Reviews, follow me on Twitter
    HTML Help, CSS Help, JavaScript Help, PHP/mySQL Help, blog
    <input name="html5" type="text" required pattern="^$">

  7. #7
    SitePoint Addict
    Join Date
    Apr 2002
    Posts
    395
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    thank you, I guess I will go with the php validation route


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •