Jump to content

disable html

ohdang888

By ohdang888
in PHP Coding Help

 Share

Recommended Posts

roopurt18 Advanced Member

roopurt18

Posted
Posted

Do it before going into database runs once

Do it after going into database runs a lot more times

 

You make the decision

 

So what happens when you only do this when inserting into the database and I bypass your security elsewhere.  Then I can insert whatever I want directly into the database and you are not cleaning it when it is displayed.

 

Link to comment
Share on other sites
ohdang888 Advanced Member

ohdang888

Posted
  • Author
Posted

ok this must be something with the way my php is set up.

according to http://us3.php.net/manual/en/function.strip-tags.php

when i put in 

<?php
$text = '<p>Test paragraph.</p><!-- Comment --> <a href="#fragment">Other text</a>';
echo strip_tags($text);
echo "\n";

// Allow <p> and <a>
echo strip_tags($text, '<p><a>');
?>

i should get:

Test paragraph. Other text
<p>Test paragraph.</p> <a href="#fragment">Other text</a>

But instead it doesn't.. it double spaces the "test paragraph" and then puts "other text" in a link.

Link to comment
Share on other sites
roopurt18 Advanced Member

roopurt18

Posted
Posted

well... if i clean it up BEFORE it ever goes into the database, won't that solve the security issue?

 

No.  If your site is only cleaning the data before it goes into the database and I can perform MySQL injection on your site, then I can place unclean data directly into your database.  Then when you display my unclean data your code will not clean it before display because you've made the assumption that everything in your database is clean, which it no longer is.

Link to comment
Share on other sites
GingerRobot Regular Member

GingerRobot

Posted
Posted
BUT, i want it to display the code, just not activate it (does that make sense?)... what do i need to add on this?

 

In other words, you don't want the html tags stripped out completely, you just don't want them to actually be interpreted by the browser? (e.g. you want the bold tags to show up, but not make the text bold?)

 

If so: htmlentities

 

And it's definitely better to do this on display than on input. Aside from aforementioned security issues, what happens if you suddenly decide you DO want the some of the HTML to be used?

Link to comment
Share on other sites
drewbee Member

drewbee

Posted
Posted

Roopurt is correct. This is why I mentioned earlier that it is generally better practice to leave the entered data as it is, and clean it coming out. When I put anything in the database, it is put in exactly as the user entered. When coming out is when it is cleaned.

 

Take this scenario for insance. Lets say you want to htmlspecialchars all entered data. This way HTML will not displayed on your site.

 

Lets say you have a database field called 'title' with a max length of 20 characters.

 

Your user enteres "My Title <truestory>" = 20 characters.

 

However, when you put it into the database you htmlspecialchars it, converting the < and > to its unicode equivilent.

 

These means that what goes into the database is "My Title <truestory>" = 26 Characters

 

When you go to retrieve it, and display it on your site you will end up with

 

"My Title <truestor"

 

Always parse coming out. While you can parse going in, I wouldn't recomend it.

 

 

Link to comment
Share on other sites
roopurt18 Advanced Member

roopurt18

Posted
Posted

^ In addition, there is also the case of reporting.  If you are pulling the data for display in a container that does not render HTML, such as a reporting application, then you are going to wind up with all sorts of junk if you called something like htmlentities() before storing in the database.

 

Or say you later want to write a cron job that will search your database for attempts by users to insert malicious code.  Now you will have to search through all sorts of < or > instead of simple < or >.

Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.