Guardando HTML en la base de datos - htmlentities [duplicado]

Posible duplicado:
La mejor manera de prevenir la inyección de SQL en PHP

On my site I have some HTML contents that a user sometimes must save in database. What is the safe way to do this (I don't want my database to be in danger, or users who will see that code later, called from database).

So what I have read is:

Utilice las entidades html to save data in database, and html_entity_decode to decode data from database. Is this safe enough, or should I use something else?

preguntado el 29 de julio de 12 a las 09:07

Well, i am not worried only for database, also for displaying html from database. -

Eso es a completely different problem (and one you solve just before inserting content into an HTML document, not just before inserting content into a database). -

2 Respuestas

Provided you're using string escaping and/or prepared statements, HTML markup can't cause any damage to your database. The danger with HTML markup comes when you display it to the user, as if someone has injected unsavory HTML into the markup you're going to display then you've got an XSS attack on your hands.

If you're not escaping or using prepared statements, then pretty much any data that comes from outside can be dangerous.

Respondido 29 Jul 12, 10:07

I havent heard of "prerpared statements", but i found this function: ` function make_safe($variable) { $variable = stripslashes($variable); $variable = mysql_real_escape_string(trim($variable)); $variable = htmlspecialchars($variable); return $variable; } ` Is this good enough for escaping? - De alguien

That's horrid! Don't use it. - GordonM

Why? Well how it should look? (i used this code once for sanitising user registration data) :s - De alguien

You might want to look at the PHP function mysql_real_escape_string() ... More in this post: strip_tags suficiente para eliminar HTML de la cadena?

He aquí un ejemplo ...

// scrub string ... call with sanitize($blah,1) to allow HTML
function sanitize( $val, $html=0 ) {
    if (is_array($val)) {
        foreach ($val as $k=>$v) $val[$k] = sanitize($v, $html);
        return $val;
    } else {
        $val = trim( $val );
        if (!$html) {
            $val = strip_tags($val);
            $pat = array("\r\n", "\n\r", "\n", "\r");
            $val = str_replace($pat, '<br>', $val); // newlines to <br>
            $pat = array('/^\s+/', '/\s{2,}/', '/\s+\$/');
            $rep = array('', ' ', '');
            $val = preg_replace($pat, $rep, $val); // remove multiple whitespaces
        }
        return mysql_real_escape_string($val); // escape stuff
    }
}

contestado el 23 de mayo de 17 a las 12:05

1) mysql_real_escape_string has nothing to do with HTML markup, it's about making sure strings are properly quoted. 2) if you want to sanitize or strip HTML then use the right tools for the job (htmlentities/htmlspecialchars/strip_tags) and don't make your own ad-hoc solution. 3) mysql_* is obsolete and deprecated in all but name. If you're still using them then please switch to mysqli or pdo - GordonM

(1) his question had to do with database safety, not markup ... (2) my solution does use strip_tags ... (3) VERY good to know, thanks! For anyone else who didn't know this ... php.net/manual/en/mysqli.overview.php - neokio

@neokio I don't have to elaborate because I'm not a downvoter... for HTML sanitation you should use Purificador HTML , instead of your own, regex based, not-enough-tested "solution", I'm only saying this because I also used my "solutions"... For SQLi, prepared statements if used correctly are considered to be safe, MySQLi or PDO... - Dejan Marjanovic

No es la respuesta que estás buscando? Examinar otras preguntas etiquetadas or haz tu propia pregunta.