1

I have a form which has a textarea input. This text area will have some custom "tags" that I would like to make, similar to the * operator in SO's textarea which gets processed and interpreted as italics or bold depending on how it's used.

The end goal is to process this long string of text, make any formatting modifications needed, then write it to a database table. I'm not really sure how to approach this problem, however.

My first thought was to use $_POST, but I'm unsure it it's a good idea to store very large strings in this array as I cannot find any information as to how much data it is good to store in this array. Is there some best practice for transferring large amounts of data to another page? Should I be using jQuery for this? If so, how?

Community
  • 1
  • 1
xcdemon05
  • 678
  • 3
  • 7
  • 20
  • Unless you're talking megabytes, then what's wrong with $_POST? There is a limit defined in [php.ini](http://php.net/manual/en/ini.core.php#ini.post-max-size) defaulting to 8MB, but if you can change this, there shouldn't be an issue.... and 8MB is a very big string – Mark Baker Jul 30 '15 at 18:32
  • @MarkBaker In the later stages of my application I could be talking much more than 8 MB. But if changing the .ini wouldn't cause any issues that would work. I'm just not sure if there's an accepted best practice for this sort of thing. – xcdemon05 Jul 30 '15 at 18:35
  • 1
    Please be careful of cross site scripting. The golden rule is never to trust user input and absolutely not allow them to pass php or any special code. If you have to allow certain html then ensure you are doing stripslashes and rest of the drill for cleaning out the output before you do any processing or storage with it. – pal4life Jul 30 '15 at 18:41
  • @pal4life Can you elaborate a bit more? In case I wasn't clear, I'm just passing the raw string of the textarea input field to a different php page. Is there room for malicious user input in that activity? I'm quite new to web development so I'm honestly not sure here. – xcdemon05 Jul 30 '15 at 18:51
  • @xcdemon05 Better to hear from the horses mouth here at http://stackoverflow.com/a/129767/805923 and other answers should help too. – pal4life Jul 30 '15 at 22:07
  • The bold/italics formatting you're talking about is a markup language called Markdown. There exists a PHP library for it already: https://github.com/michelf/php-markdown - I strongly recommend you use that and be very careful about user input (links, script tags, etc). – elithrar Jul 31 '15 at 00:15

2 Answers2

3

$_POST will most likely be used, whether or not you do this with jQuery. The default limit of $_POST is already high enough to handle most user input, short of file uploads. If you need it to be greater than 8MB, you can change that on the webserver in your php.ini file. I've had a similar application, and in testing I had no problem pasting >64MB into my textarea.

I would also consider changing the order of operations a little bit. I'd do one or the other of the following:

1) Rather than format your text prior to db insertion, format it on the way back out to the browser. That way, if you change the way your input gets formatted, you have the original data to apply it to. It's a little more work for the server when displaying the data, but it's likely you'll have a much easier time maintaining your application down the line.

2) Store both the formatted text and the raw text in the database. This has the benefit of speed by not having to format it on its way to the user every time it's called, and also allows you the ability to build a means of changing the format of the data later, at some coding expense.

EDIT: As pal4life stated in a comment, you want to avoid executing any of the user input. Essentially, if your method is to save the input to a file, and then recall it with an include() or require(), you open yourself up to some severe security vulnerabilities. An attacker could upload code like <?php var_dump($conn); or much worse. I believe you may safely readfile(), however the browser is still vulnerable to any potential javascript that may have been placed there by an attacker.

Jerbot
  • 1,168
  • 7
  • 18
0

Using $_POST is a pretty good way to start, if it's getting bigger then 8MB change the php.ini. If it's getting much larger you can start slice your string and send the chunks via jQuery to your web server and concatenate them afterwards.

But at the first run I would prefer with the standard way and use $_POST.

dschniepp
  • 1,083
  • 12
  • 19