Best practice for storing HTML in mysql DB

20
January 12, 2019, at 01:10 AM

I'm working on a mini blog which allows users to add a post using a WYSIWYG editor to the site therefore I will be storing this post in my DB .

Having researched markdown I have come to the conclusion that it is not fit for purpose since I require local video uploaded which is why I am now planning on storing the HTML from the WYSIWYG editor into my DB.

I however do have some concerns regarding SQL injection and XSS attacks however I have researched a solution which is HTML purifier.

If I use HTML purifier to remove unwanted HTML tags is this then a safe solution to store the HTML in my DB?

Answer 1

Storing HTML in the database is not intrinsically unsafe, any more than storing plain text is intrinsically unsafe. The risk of SQL injection is trivially mitigated by using prepared statements and proper placeholders. Escaping is neither necessary nor is it best practice for preventing SQL injection. Prepared statements are.

Conversely, XSS and other HTML-related vunerabilities have nothing to do with the database and everything to do with rendering HTML to viewers from untrusted sources. The same vulnerabilities would be there if the HTML were simply stored in files, with no database at all, so there is no need to protect the database from malicious HTML. The database has no knowledge of or vulnerability to what's contained in stored HTML content, because it doesn't render or interpret the HTML... again, as long as your database interactions use prepared statements. There are no acceptable justifications for avoiding those.

To exaggerate the point to an extreme, it would be perfectly safe to store files containing viruses as blobs in a database, because the database does not execute the data stored in it, as code. The vulnerability would be to the users downloading those viruses.

Answer 2

You can store html in sql... but escape them first.

See the example here...

http://php.net/manual/en/function.html-entity-decode.php

READ ALSO
MySql error when trying to combine two tables

MySql error when trying to combine two tables

Hi i am getting the error below when i am tryin to combine two tables, Post and User

51
Table to show the latest results from SQL

Table to show the latest results from SQL

I have a page to increase the tracking on Facebook, I created a table to display the latest results in the id column, but this table shows the oldest results for the highest resultsPlease help me edit the table to show the latest results

53
Xampp connects to MariaDB instead of mysql (KNP/SymfonyCasts tutorial “how to speak database”)

Xampp connects to MariaDB instead of mysql (KNP/SymfonyCasts tutorial “how to speak database”)

I am following tutorial from KNP/SymfonyCasts and I have problem with connecting to mysql

53