Right now I'm using a form to store html input, and then storing them in the database using PDO and mysql. The website then uses these inserted values to display parts of the site. Is that safe? Is there a better solution? What are the possible security implications?
Asked
Active
Viewed 125 times
0
-
2http://stackoverflow.com/q/60174/ - http://en.wikipedia.org/wiki/Cross-site_scripting – Funk Forty Niner Mar 03 '15 at 16:19
-
thanks, looking at it now – Masu Mar 03 '15 at 16:19
-
1There is nothing wrong with *storing HTML*. The problem is in emitting the HTML *without escaping in the appropriate context*. SQL Injection is not about HTML (or any data *actually* stored), but about allowing invalid/arbitrary/malicious SQL to run in an unexpected query "shape". – user2864740 Mar 03 '15 at 16:20
-
This is essentially how Content Management Systems work. – Barmar Mar 03 '15 at 16:22
-
i c, thanks for your comment barmar – Masu Mar 03 '15 at 16:25
1 Answers
1
Is that safe? Yes, so long as you're using something like HTML Purifier when you actually display it to the user.
Is it the best solution? Perhaps not. But hardly the worst.
Scott Arciszewski
- 33,610
- 16
- 89
- 206