Suzanne — Fri, 12 Dec 2003 19:34:59 +0000

The threat is really to the site, not the database -- corrupted information coming out. The data, however, is at risk as well as most databases will "fix" anything that's going to hurt them, and there are some other issues with the database cutting off data if you have the fields set badly.

TonyMontana — Fri, 12 Dec 2003 18:44:04 +0000

"For instance they could open an tag and not close it, then all the text on the page would link where they wanted."

In this case, they are creating their own site, so I don't have a problem with it. I may consider stripping and replacing tags though, as Suzanne suggested.

Any threat to the database by leaving the tags/javascript in there? That's my main concern.

Thanks,

Suzanne — Fri, 12 Dec 2003 16:11:54 +0000

Yes, they definitely can. Stripping out tags and replacing them with your own codes can help, or just removing all tags (like comment scripts do).

In general it's better to keep the data clean from all markup except semantic tags like and , which do not influence anything other than the appearance and meaning of the data.

andy206uk — Fri, 12 Dec 2003 09:28:46 +0000

I believe they can. For instance they could open an tag and not close it, then all the text on the page would link where they wanted. Not good for your site. Also, javascript can be used to manipulate DOM so they could pop up windows, redirect users elsewhere and all sorts.

Its best to remove the html where ever possible.

TonyMontana — Fri, 12 Dec 2003 06:28:48 +0000

Thanks for the info, Suzanne. Can a user do anything malicious by entering HTML/javascript into a database through a form?

Suzanne — Thu, 11 Dec 2003 16:20:39 +0000

In order to protect the data as much as possible from the tampering of the and crew, I don't allow HTML into the database normally. Instead, when the data is displayed, I add the markup then.

It's especially useful for paragraphs, but can also work for anchors and other markup.

Dean Allan has something like this going for his CMS project -- http://www.textism.com/tools/textile/ -- but I think it goes into the database as markup, though standardized markup.

On the way in, I can (and sometimes do) change things to the correct HTML entities for things like degrees and quotes, however I also do this:

<?php
    $care = str_replace(\"\n\r\n\",\"</p>\n\n<p>\",$care);
    $care = str_replace(\"‘[^>]*’\",\"&#8216;[^>]*&#8217;\",$care);
    $care = str_replace(\"°\",\"&#176;\",$care);
?>

And then to display it for real:

<?php
echo \"<p>$care</p>\";
?>

Which puts the beginning and end on.

Better ways are welcome, please don't hesitate to cut this apart.

andy206uk — Thu, 11 Dec 2003 12:24:24 +0000

Wow... cool function. I didnt know that existed. I've been doing eregi_replace("\n","<br>","$string");'

Must remember that one!

TonyMontana — Thu, 11 Dec 2003 05:28:42 +0000

"Depending on the application, it's better to create new paragraphs on output, not put the information into the database with the markup attached, btw."

Can you elaborate more on that? In one case, the user has the ability to write their own HTML which is stored in a database. It's dynamically written to an HTML window when retrieved for viewing. I just want to make sure nothing malicious makes its way into the database.

Suzanne — Thu, 11 Dec 2003 03:38:55 +0000

When a form is submitted, it returns some hidden characters for new lines and carriage returns. Often the format is \n\r -- new line, carriage return.

This is what's tested for, it's not something the user enters. The user just presses return or enter and creates a visual new line.

Depending on the application, it's better to create new paragraphs on output, not put the information into the database with the markup attached, btw.

TonyMontana — Thu, 11 Dec 2003 00:28:56 +0000

Does a message board text area like this one detect new lines in the same manner? If I can avoid telling the client: put \n for every new line I'd like to.