100% secure way to store html in MySQL

Question

100% secure way to store html in MySQL

I am working on a project in which the public (therefore everyone) is allowed to embed HTML through TinyMCE for their own project page. Since everyone is allowed to use this feature, I need a 100% safe way to insert TinyMCE output into my database and display it on another page, just as it was inserted by the user.

XSS, SQL injection and all that crap is not what I want on my new site! I could do htmlentities → htmlspecialchars and later use htmlentities_decode, but is it 100% safe and is this the best way to do this?

+4

html php mysql code-injection

Basaa Jul 21 '12 at 11:27

source share

3 answers

This is not feasible. You think that filtering is a good point, but in the end, it will not be possible to completely block it if you accept html. Take a look at things like bbcode, markdown, etc. to see some alternatives.

If you decide to accept the HTML code, it’s not just filtering what needs to be done, even coding can cause serious security problems. Search for UTF-7, for example, to find out what the problems are. Examples here: http://www.webappsec.org/projects/articles/091007.txt

+3

Luc franken Jul 21 '12 at 11:35

source share

Saving and displaying HTML are two different things.

For storing HTML in MySQL, mysql_real_escape_string() sufficient and will protect you from SQL injection.

For display, it depends. You want users to be able to write HTML, but you want to be protected from XSS attacks, etc., so you should use a filter like HTMLPurifier (this is what Stackoverflow does). You only need to do this after you have extracted the HTML from the database.

You do not need to use htmlentities() or htmlentities_decode() .

-3

Artefact2 Jul 21 '12 at 11:31

source share

Gordonm · Accepted Answer · 2012-07-21T11:38:18+0000

SQL injection is in most cases easily avoided using prepared statements.

XSS is more complicated if you plan to allow users to host HTML markup. You need to remove all <script> tags, all on* attributes from tags, all javascript: urls, and even then, it may not be fully guaranteed to make the input HTML safe. There are libraries, such as HTMLPurifier , that can help, but as long as you allow HTML, you risk allowing yourself something malicious.

You can use a library that instead implements something like markdown or wikitext. This severely limits what users can enter, while allowing them to tag content to some extent. It is not fully functional (people can still post links to malicious sites and hope that users will come to them, that some of them will be naive enough, and in fact you won’t be able to use a rich editor such as TinyMCE, a plugin, but this a much simpler task for sanitizing markdowns than for sanitizing HTML.

100% secure way to store html in MySQL

More articles: