What is the securest way to add html/css/js to mysql?

Question

I\'m currently using the following PHP class to store html, css and javascript code to my mysql database.

function filter($data) {
$data = trim(htmlentities         


        

Answer 1

Yes, MySQL can store any type of text technically safely. Which means, MySQL will save the text as is and will return it again without loosing any data.

Mysql does not differ between the content of the text, so it makes no difference if it is HTML, CSS, JS code or your friends last email.

However if you output the text later on you should take care that there is no unwanted code injection after you've pulled the data from mysql. But that's not related to MySQL actually.

To make you sql more secure, pass the database handle to mysql_real_escape_string or even better use MySQLi and/or PDO and prepared statements.

Your code

Your code looks like you're trying a lot to prevent something, but in the end it turns out pretty useless:

function filter($data) {
$data = trim(htmlentities(strip_tags($data)));

if (get_magic_quotes_gpc())
    $data = stripslashes($data);
    $data= strip_tags($data);

$data = mysql_real_escape_string($data);

return $data;}

Normalize the data before you process it

First of all you should change the position of the check for get_magic_quotes_gpc to normalize the data the function is working on. It would be even better if your application would not rely on it but just denies working if that option is enabled - see this important information here about that if you care about security.

But for the safeness of your code posted, let's first normalize the input value to the function before processing it further. This is done by moving the check to the top of the function.

function filter($data)
{
   // normalize $data because of get_magic_quotes_gpc
   $dataNeedsStripSlashes = get_magic_quotes_gpc();
   if ($dataNeedsStripSlashes)
   {
     $data = stripslashes($data);
   }

   // normalize $data because of whitespace on beginning and end
   $data = trim($data);

   // strip tags
   $data = strip_tags($data);

   // replace characters with their HTML entitites
   $data = htmlentities($data);

   // mysql escape string    
   $data = mysql_real_escape_string($data);

   return $data;
 }

In this modified function, the magic quotes stuff (which you should not use) has been moved to the top of it. This ensures that regardless of that option is on or off, data will always be processed the same. Your function did not do so, it would have created different results for the same data passed. So this has been fixed.

More Problems with your function

Even the function looks better now, it still has many problems. For example, it's unclear what the function actually does. It does many things at once and some of them are contradictory:

• It removes HTML tags which is a sign that $data should not contain HTML
• But then you convert the text of $data to have actually contain HTML entities.

So what should the data be? HTML or not? It does not introduce more security if things become unclear because this will benefit that errors come into your program and in the end even pass your security precautions.

So you should just throw away the code and consider the following:

• If input to your application is invalid, don't filter it. Instead prevent further use of invalid input. So you need a function to validate input before you make use of it.
• Don't change data just because you think this might make something more secure. Instead change and encode data where it is needed and appropriate.
  • Make your application only work with magic quotes off. Relying on this feature is highly discouraged. And then there is no need to check for that all over in your code.
  • To store something safely within the database, escape the data prior using it in the query only. Not at some other place of your application. Use Prepared statements for that.
  • No need to wrangle the data before you put it into the database if it's valid. But you need to properly encode it when output it to the webpage. And only there an application does know in which encoding this needs to be. You do not know that when you put the data into the database.

So if you want to make your code more secure, this is not about throwing a bunch of functions onto some data because you think those are security related. By doing so you don't make your software more secure but less secure.

1. Never trust user data.
2. Ensure data is in the format you need it prior processing.
3. Use the right tool for the job at the right place.
4. Never use tools at guess. Get knowledge instead, that pays not only security wise.