I'm making a website similar to jsfiddle, where the user can save their javascript codes and retrieve it back indented. I don't know which DATA TYPE I should use to save the codes or if I should save them in text files. Also, when the data will be printed using php then how to indent it?
Asked
Active
Viewed 1,641 times
0
-
3Outside executable environment any program is text. So, you can use an equivalent data type for string in the DB you are using. – May 28 '13 at 04:55
-
1Dont forget about XSS – kirugan May 28 '13 at 04:57
4 Answers
0
You'd better save it in text files with a randomly chosen name and save the name into the database, or use the saved ID as name. Of course if you delete a row in the database you'll have to delete the file too.
If you just want to save them in the database then choose TEXT or BLOB. VARCHARs are bad for large texts and if you don't know the lenght.
If you display/use content uploaded from users you have to carefully take care of people that try to exploit stuff.
About indentation, if you display them in a textarea you shouldn't have any problems.
n1xx1
- 1,971
- 20
- 26
-
And what about indentation ? how will i indent code if it's in database, because to save site from injections i'll use HTMLENTITIES, MYSQL_REAL_ESCAPE_STRING and many other so that will add values like < etc... so i think text is the best but what according to you is best ? – user2273901 May 28 '13 at 05:02
-
Why would you use HTMLENTITIES? It's javascript code, it doesn't have to be parsed by the browser as html. Saving as BLOB will avoid charset problems. – n1xx1 May 28 '13 at 05:05
-
I don't want JS to run on my site, just need to save the codes and it should be indented as user indented it while creating file. So now also should i use BLOB or i should go with Separate text files ? – user2273901 May 28 '13 at 05:08
-
@user: BLOB and text files will keep tab characters. BLOB will be faster but will make your database bigger and bigger and often this can cause problems. Saving as text file will be slower, but often it isn't that much that you should care about. – n1xx1 May 28 '13 at 05:11
-
Yes, that's the reason i'm not using BLOB and going to work with text files but one more query, why it will be slower ? – user2273901 May 28 '13 at 05:13
-
@user: I've read something and actually a big database won't slow down. Just use BLOBs. – n1xx1 May 28 '13 at 07:17
0
You could store the data in a varchar, but you shoulld probably pursue alternate storage possibilities such as storing them in individual *.js files. As for indentation, all characters including indentation characters will be saved with the js.
vijrox
- 1,063
- 1
- 13
- 33
-
no...can't because i don't want it to be executed on my site...i just want to store code and make it possible for user to retrieve it when he want and also to take care of indents he or she user did while creating the file – user2273901 May 28 '13 at 05:12
0
I would use BLOB it's quicker for retrieving than grabbing a filename out of the db then getting the file. Also, though the chances are slim if you have your site set up right, it's possible to execute the javascript files on the server opening it up to vulnerabilities if you're running node.js or something.
chrislondon
- 12,487
- 5
- 26
- 65
-
-
-
but when we print it from database it's not indented because of HTML ENTITIES and other security functions in PHP and if i won't use that funcs then browser will parse that code and run the javascript which i won't want so saving it as text files is good ? – user2273901 May 28 '13 at 05:16
-
1`htmlentities()` does not remove tabs/spaces. Browsers do. Try wrapping the output in the `` tag – chrislondon May 28 '13 at 05:43
0
You should use LONGTEXT type. If you can guarantee that your data will be less than about 8KB, you can use VARCHAR or TEXT types (Relevant MySQL documentation).
If there is possibility that text may contain some binary data, you may have to resort to BLOB or LONGBLOB types.
Regarding indentation: you can store tabs or spaces as well as newlines in your field and basically treat them as normal text files.
mvp
- 111,019
- 13
- 122
- 148
-
The data size is not sure!... might it be 1 MB or might it be 1KB so what should i do should i use TEXT FILES saved in another directory ? – user2273901 May 28 '13 at 05:05
-
`LONGTEXT` or `BLOB`/`LONGBLOB` may give you some trouble but only if size is beyond about 1MB or 16MB depending on client configuration. I don't think you would allow snippets more than 1MB, would you? – mvp May 28 '13 at 05:07
-
hm...that's right but if i'll get data from database then is it possible to indent code properly ? because by using HTML PRE TAGS it won't work because i'm also using HTML ENTITIES and MYSQL_REAL_ESCAPE_STRING ? – user2273901 May 28 '13 at 05:10
-
For the love of all that is holy, please, [**always use prepared statements**](http://php.net/manual/en/pdo.prepared-statements.php)! Then you will never have to worry about escaping anything. In PHP context, that also means you must use [`mysqli`](http://php.net/manual/en/mysqli.prepare.php) or `PDO`. – mvp May 28 '13 at 05:13
-
-
In order to read or write data, use prepared statements. This makes sure your code is safe from SQL injection, and also does not need to escape anything - it will always read back exactly what was written – mvp May 28 '13 at 05:16
-
the code will be entered by user and what prepared statements means ? – user2273901 May 28 '13 at 05:19
-
Please read this, carefully: http://stackoverflow.com/questions/60174/how-to-prevent-sql-injection-in-php. As nice side effect of using prepared statements, string escaping is NOT necessary, and you are guaranteed to read exactly what was written, even if it contains quotes, dollars, and other possibly harmful code (which you typically have to painfully escape) – mvp May 28 '13 at 05:22