monkeytooth Posted July 27, 2011 Share Posted July 27, 2011 Ok. I am working on a project where I guess the closest proximity to describe it would be something like http://pastebin.com/ I am building the project with PHP and mySQL as the backend. But I know the combination of the two can be deadly if not handled carefully with what I want to do. I already know I can store in mySQL raw code if I so choose, but that would be stupid as the code that will be stored will be input by users and well trusting any one of them is just stupid. So with that I want to mention that this code will be used in a number of ways. From simply outputting it for display on a page to actually saving it as a file for use automatically. I will be storing all sorts of code from C# to PHP to JavaScript and everything in-between. So I guess my ultimate question here today would be whats the best and safest way I can convert code to be stored in the DB without really effecting my ability to use it for display, demo (in some cases), or writing it to a file for someone to save. Would base64_encode/decode be a good logic to work on? or should I do something like htmlentities/specialchars or I dunno. I guess I am ultimately seeking opinions on the best way to tackle it. Quote Link to comment https://forums.phpfreaks.com/topic/242999-storing-code-and-calling-it-back-out/ Share on other sites More sharing options...
AbraCadaver Posted July 27, 2011 Share Posted July 27, 2011 There's nothing wrong with storing it in the DB as raw code, especially if you want it to be search-able. If you do something to it like htmlentities() before inserting it, then it would be a mess when you try to decode it for use. So long as you escape the data for insert and then htmlentities() before displaying it, you should be fine. As for writing it out to a file, that would depend on how you wanted to use it. Quote Link to comment https://forums.phpfreaks.com/topic/242999-storing-code-and-calling-it-back-out/#findComment-1248072 Share on other sites More sharing options...
xyph Posted July 27, 2011 Share Posted July 27, 2011 Echo'ing PHP code isn't executing it. Don't use EVAL, and you have no problem. Be sure to sanitize the input from SQL injection while inserting it, though, of course. htmlspecialchars() when you want to echo the code will prevent XSS attacks. Quote Link to comment https://forums.phpfreaks.com/topic/242999-storing-code-and-calling-it-back-out/#findComment-1248120 Share on other sites More sharing options...
monkeytooth Posted July 27, 2011 Author Share Posted July 27, 2011 What about JavaScript? any opinions on storing that? Echoing that will execute it, someone storing a php script and embeding JavaScript in it will cause it to still run the JS Quote Link to comment https://forums.phpfreaks.com/topic/242999-storing-code-and-calling-it-back-out/#findComment-1248140 Share on other sites More sharing options...
AbraCadaver Posted July 27, 2011 Share Posted July 27, 2011 What about JavaScript? any opinions on storing that? Echoing that will execute it, someone storing a php script and embeding JavaScript in it will cause it to still run the JS That why both xyph and myself said to use htmlspecialchars() or htmlentities() before echoing/displaying it. Quote Link to comment https://forums.phpfreaks.com/topic/242999-storing-code-and-calling-it-back-out/#findComment-1248152 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.