Jump to content

Recommended Posts

Hi everyone I have a security question, first to let you all know I am using the PHP framework, Codeigniter. For one of the features I am making I am using the Jquery tag-it plugin, http://aehlke.github.io/tag-it/

I am then storing the values from tag-it feature into my database. I have not fully made the functionality yet but here is what I was going for:

	                                $tags = $this->input->post('tags');
					$interests = implode(',',$tags);
					$updateData = array(
						'tags' => $interests
					);
					$this->ion_auth->update($this->ion_auth->user()->row()->id, $updateData);

So the above code would turn the array into a string separated with a comma and store it in the database. And then use PHP explode to turn it back into an array. I have not really read the tag-it documentation but what if somebody was able to bypass the tag-it and enter a comma as a value would that mess the explode function up or would it just return an empty value? So if this made any sense what I'm really asking is there a safer way to store and retrieve these values, if yes how so?

Edited by phpmaster57
Link to comment
https://forums.phpfreaks.com/topic/298275-storing-array-values-into-database-php/
Share on other sites

There's no particular security problem with explode(). You have to treat the tags like any other dynamic value, that is, you have to escape them before showing them, you mustn't use them in a dangerous context like a script element etc.

 

Your implementation sounds odd, though. Stuffing comma-separated values into a relational database is generally a bad idea, but it's particularly bad when you actually want to do something with the data. The whole point of tags is to allow tag-based searches, but that's nearly impossible when all tags are buried somewhere in large strings. Do you want to load the entire database into your application, step through each row, unpack the values and check if one of the tags match? That will obviously kill performance. Or do you want to try some LIKE magic? That's extremely cumbersome, error-prone and, again, inefficient.

 

In the relational model, one piece of information goes into one row. For example, make one table for the tags, one table for the tagged objects (e. g. articles) and one table which assigns the tags to the objects (e. g. article_tags). Now searching by tag is trivial.

  • Like 1
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.