1

I have a cms that I am working on for a client, he wants to add a code textbox so he can paste special code for pages on a page by page basis. So, I need to be able to give the user a way to input javascript tags into a page they are editing. When that page loads, the java code will show and run.

For example, Facebook code - it would be pasted into this code textarea and saved in the mysql database.

Note - the site is still using mysql_query and has not been converted, client has been told but they have no interest in updating so need the example done in mysql_query.

 <script type="text/javascript">(function(d, s, id) {
    var js, fjs = d.getElementsByTagName(s)[0];
    if (d.getElementById(id)) return;
    js = d.createElement(s); js.id = id;
    js.src = "//connect.facebook.net/en_US/all.js#xfbml=1";
    fjs.parentNode.insertBefore(js, fjs);
 }(document, 'script', 'facebook-jssdk'));</script>

How can I safely save this to the database without breaking the javascript?

thanks!

John
  • 351
  • 1
  • 7
  • 18
  • Possible duplicate: http://stackoverflow.com/questions/13087378/how-to-insert-javascript-into-mysql-database – showdev Apr 25 '13 at 22:15
  • "*When that page loads, the java code will show and run*". Doing so (i.e redisplaying HTML, CSS or JavaScript without escaping), implies XSS vulnerabilities. You should be very much careful about it. – Lion Apr 25 '13 at 23:29

2 Answers2

1

If you use mysql_real_escape_string you should be able to escape any characters that would otherwise mess with you query.

$jsData = $_POST['jsData'];
"Insert into yourTable (someColumn) VAlUES('" . mysql_real_escape_string($jsData) . "')";

After having a little chat with @Basic, I am going to point out to you that I strongly suggest you consider switching over to mysqli or pdo as these two classes will provide you with a safer way to query your database, and possibly even a faster way to do so.

What have you tried
  • 11,018
  • 4
  • 31
  • 45
  • You missed enclosing single quotes - if `$jsData` is `1); DROP TABLE yourTable--` you'd let them corrupt the Db – Basic Apr 25 '13 at 22:23
  • @Basic Thank you, I've updated. I'm assuming that was the reasoning for the downvote – What have you tried Apr 25 '13 at 23:08
  • It was. Downvote removed although I'd still argue `mysql_real_escape_string` is insufficient :) – Basic Apr 25 '13 at 23:15
  • @Basic I 100% agree with you, but for me it's a waste of time trying to explain to users why / how to use mysqli, etc. I feel like if the users want to learn that, they will do so on their own times. Between me and you, I completely agree that mysql_real_escape_string is not the way to go. – What have you tried Apr 25 '13 at 23:20
1

Don't use mysql_real_escape_string

It's a step in the right direction but is not perfect. You need to use parameterised queries

eg...

$stmt = $dbh->prepare("INSERT INTO snippets (url, snippet) VALUES (:url, :snippet)");
$stmt->bindParam(':url', $url);
$stmt->bindParam(':snippet', $snippet);

// insert one row
$url = '/path/to/page';

$snippet = "<script type=\"text/javascript\">/*Your Javascript goes here*/</script>";
// OR
$snippet = $_REQUEST['Snippet'];

$stmt->execute();
Community
  • 1
  • 1
Basic
  • 26,321
  • 24
  • 115
  • 201