Storing array values into database PHP

[phpmaster57]

Hi everyone I have a security question, first to let you all know I am using the PHP framework, Codeigniter. For one of the features I am making I am using the Jquery tag-it plugin, http://aehlke.github.io/tag-it/

I am then storing the values from tag-it feature into my database. I have not fully made the functionality yet but here is what I was going for:

	                                $tags = $this->input->post('tags');
					$interests = implode(',',$tags);
					$updateData = array(
						'tags' => $interests
					);
					$this->ion_auth->update($this->ion_auth->user()->row()->id, $updateData);

So the above code would turn the array into a string separated with a comma and store it in the database. And then use PHP explode to turn it back into an array. I have not really read the tag-it documentation but what if somebody was able to bypass the tag-it and enter a comma as a value would that mess the explode function up or would it just return an empty value? So if this made any sense what I'm really asking is there a safer way to store and retrieve these values, if yes how so?

Edited September 22, 2015 by phpmaster57

[Jacques1]

There's no particular security problem with explode(). You have to treat the tags like any other dynamic value, that is, you have to escape them before showing them, you mustn't use them in a dangerous context like a script element etc.

 

Your implementation sounds odd, though. Stuffing comma-separated values into a relational database is generally a bad idea, but it's particularly bad when you actually want to do something with the data. The whole point of tags is to allow tag-based searches, but that's nearly impossible when all tags are buried somewhere in large strings. Do you want to load the entire database into your application, step through each row, unpack the values and check if one of the tags match? That will obviously kill performance. Or do you want to try some LIKE magic? That's extremely cumbersome, error-prone and, again, inefficient.

 

In the relational model, one piece of information goes into one row. For example, make one table for the tags, one table for the tagged objects (e. g. articles) and one table which assigns the tags to the objects (e. g. article_tags). Now searching by tag is trivial.