Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
840 views
in Technique[技术] by (71.8m points)

php - How should be kept as HTML tags in database?

i create my new site. Now i learn and use Symfony. I have few questions.

  1. Why default Symfony allow add HTML tags to database? For example i create new module, i go to module/new, in title i enter <strong>test</strong> and next save it. In database MySQL i have <strong>test</strong>. Is it safe?
  2. I know - if i use simply $test->getTitle() then this render text <strong>test</strong>, but what if i would like add for user comments WYSYWIG and use RawValue()? Users can not close tags </strong> and all site is broken...
  3. They can for example steal cookies?
  4. Is any safe WYSIWYG editor for Symfony? If i use CKEditor or TinyMCE i am safety?
  5. On stackoverflow is WMD markdown, but anywhere can't find it. How he kept html tags in database? **test** ?
See Question&Answers more detail:os

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Reply

0 votes
by (71.8m points)

1a) Safe for what? As long as your database operations sanitize all user input via mysql_real_escape_string() before insertion into queries, then there's no way a malicious user could attack your database via injection attacks. HTML in the database is like anything other piece of text in the database - it's just text with some extra "weird" characters.

1b) As for why it allows it, did you explicitly tell it to NOT allow html? PHP/Symphony/MySQL do exactly as you tell them to.

2) Ensuring that the HTML is valid is up to you. You can use things like HTML Purifier to fix "broken" html.

3) If you're doing HTML sanitization/filtration, then a user can embed <script> blocks into the html they're adding and steal cookies via that method...

4) Those editors are just editors. They display stuff and let you (or others) edit that displayed material. They're as safe or unsafe as you want them to be. They're just tools. If you provide a loaded gun to someone, then don't be surprised if someone gets shot.

5) Just because some text has tags in it, of any sort, doesn't make that text magically "different" from other text. MySQL doesn't care, need to know, or even HAVE to know that you're inserting markdown'd text into a field. It just stores what you tell it to, and pulls it back out when you want it too.


与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
OGeek|极客中国-欢迎来到极客的世界,一个免费开放的程序员编程交流平台!开放,进步,分享!让技术改变生活,让极客改变未来! Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

...