Jump to content

Storing Code and Calling it back out


Recommended Posts

Ok. I am working on a project where I guess the closest proximity to describe it would be something like




I am building the project with PHP and mySQL as the backend. But I know the combination of the two can be deadly if not handled carefully with what I want to do. I already know I can store in mySQL raw code if I so choose, but that would be stupid as the code that will be stored will be input by users and well trusting any one of them is just stupid. So with that I want to mention that this code will be used in a number of ways. From simply outputting it for display on a page to actually saving it as a file for use automatically. I will be storing all sorts of code from C# to PHP to JavaScript and everything in-between.


So I guess my ultimate question here today would be whats the best and safest way I can convert code to be stored in the DB without really effecting my ability to use it for display, demo (in some cases), or writing it to a file for someone to save.


Would base64_encode/decode be a good logic to work on? or should I do something like htmlentities/specialchars or I dunno. I guess I am ultimately seeking opinions on the best way to tackle it.

Link to comment
Share on other sites

There's nothing wrong with storing it in the DB as raw code, especially if you want it to be search-able.  If you do something to it like htmlentities() before inserting it, then it would be a mess when you try to decode it for use.


So long as you escape the data for insert and then htmlentities() before displaying it, you should be fine.  As for writing it out to a file, that would depend on how you wanted to use it.

Link to comment
Share on other sites

Echo'ing PHP code isn't executing it. Don't use EVAL, and you have no problem.


Be sure to sanitize the input from SQL injection while inserting it, though, of course.


htmlspecialchars() when you want to echo the code will prevent XSS attacks.

Link to comment
Share on other sites

What about JavaScript? any opinions on storing that? Echoing that will execute it, someone storing a php script and embeding JavaScript in it will cause it to still run the JS


That why both xyph and myself said to use htmlspecialchars() or htmlentities() before echoing/displaying it.

Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.