SitePoint Sponsor

User Tag List

Results 1 to 6 of 6
  1. #1
    SitePoint Enthusiast
    Join Date
    Mar 2005
    Posts
    32
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Question storing html in mysql

    i've searched everywhere without a definitive answer...

    how can you store embed codes (youtube, slide, google video, rockyou, etc) in mysql through a form?

    would you use
    - strip_tags?
    - mysql_real_escape_string?
    - any validations?
    - anything else?

    Just don't want any injections...


    Thanks.

  2. #2
    Follow Me On Twitter: @djg gold trophysilver trophybronze trophy Dan Grossman's Avatar
    Join Date
    Aug 2000
    Location
    Philadephia, PA
    Posts
    20,580
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    Embed codes are just strings; mysql_real_escape_string() is all that's necessary to insert them into any string type column in a database. Whether you need to do any input cleaning or validation doesn't depend on what the content is but where it's coming from -- is this user-submitted? If so, why, considering you should be able to produce the embed code yourself given the unique identifier of whatever you're embedding.

  3. #3
    SitePoint Evangelist
    Join Date
    May 2006
    Location
    Austin
    Posts
    401
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    I would use a combination.

    First off, I would specify what html is allowed. This way you can validate that they only submitted allowed html. I would automatically strip out everything that you don't want using a preg_replace function. This way you can remove any javascript, php, or other code that you don't want. Then use mysql_real_escape_string to actually protect the data.

    Another thing you can do is to encode the entire string before you put it in the database. Use base64_encode to encode the entire string, and then it is completely safe. It uses a little more space and server resources, but for most websites it wont cause any noticeable delay or other problem.
    Merchant Equipment Store - Merchant Services, POS, Equipment, and supplies.
    Merchant Account Blog | Ecommerce Blog

  4. #4
    reads the ********* Crier silver trophybronze trophy longneck's Avatar
    Join Date
    Feb 2004
    Location
    Tampa, FL (US)
    Posts
    9,854
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by jestep View Post
    Another thing you can do is to encode the entire string before you put it in the database. Use base64_encode to encode the entire string, and then it is completely safe. It uses a little more space and server resources, but for most websites it wont cause any noticeable delay or other problem.
    if you use mysql_real_escape_string(), base64_encode() is not needed at all.

  5. #5
    SitePoint Wizard Hammer65's Avatar
    Join Date
    Nov 2004
    Location
    Lincoln Nebraska
    Posts
    1,161
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    If it's user submitted you could also just ask for the URL and the site, and then assemble the embed code with a template matched to that site's conventions. You then have complete control over markup.

  6. #6
    SitePoint Enthusiast
    Join Date
    Jul 2007
    Location
    Virginia
    Posts
    87
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by Hammer65 View Post
    If it's user submitted you could also just ask for the URL and the site, and then assemble the embed code with a template matched to that site's conventions. You then have complete control over markup.
    This is the best solution. Validate that it's an actualy url, and or run mysql_real_escape_string() on the url variable. This way you can create your own 'template' for any type of media it is.
    Mark A. Drake
    - Mark A. Drake
    - OnSlaught


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •