0

I'm building a website for a friend, and he basically wants to be able to add some youtube videos to his page from time to time.

Trying to keep it simple, and not time consuming, I wanted to simply store the "share video" embed code from youtube.com in the mySql database and simply echo it in the right container using php.

So obviously, there will be a moment where the embed code is going to be saved in the database using post ( in a session / htaccess password protected admin page )

And there is also a moment where a query will be made to print it in the website document.

MY QUESTION IS : Is this a dangerous practice? Is there risk of sql failure/injections that could be caused by, let's say the slashes contained in the string ?

example of the saved code :

Thanks a lot Martin

user3482994
  • 11
  • 1
  • It's only unsafe if your inserting and retrieving it unsafely – Daryl Gill Sep 29 '14 at 22:49
  • I would only save the video's link or id and use a method for proper display. This way if they change their code for embedding videos, all you need to do is edit in one place - not do difficult operations on your db data. – kero Sep 29 '14 at 23:01
  • It is not unsafe to keep the whole embed code in the database. Just make sure you insert the code in a safe way. An example is using PDO prepared statements: http://php.net/manual/en/pdo.prepared-statements.php. – Bas Slats Sep 29 '14 at 23:19
  • Thank you all guys, this actually anwsers my question. @kingkero thanks for the good idea I might just do that! – user3482994 Sep 30 '14 at 21:26

0 Answers0