3

So here is the thing, I'm working on my own little PHP based forum software for my college exam (comp. sciences). One thing I found tricky to do is to allow html content. One of the exam requirements is SQL security.

In my forum I want to allow someone to copy and paste something from the internet, like say a WikiPedia article, with all hyperlinks and font styling to transfer over ones they paste it into the forum textarea.

I was able to achieve this with use of nicEditor which is a js wysiwyg editor. Now the problem strives from the way I validate the user input. In order to make the input secure it's called in such format.

parsebbCode(htmlentities(stripslashes($posts_content)))

This pretty much renders everything useless, turning html into plain text. So here is the thing, how can I store the html code in it's default state in MySQL and convert it into rich format ones it's going to the client side, without creating a SQL vulnerability? Or should I just write some BBCODE to parse the basic elements instead?

  • 1
    if you use parameters to update your DB SQL injection attacks will be foiled. It's only when you use adhoc SQL text queries that you are vulnerable like that. – T McKeown Dec 27 '15 at 18:21
  • Probably not useful for you but have you considered using BLOBs in SQL? It allows you to store binary data. You could convert the pasted material into the blob row and when the client asks for that specific "post" you could render the html on your server and send the "rendered" object with the blob ripped out and inserted into the area that you want rich text. I don't see how you could inject SQL problems into this because it's saving the text and not necessarily parsing it and acting on it since you are converting it to binary. Again, could be wrong about this but just a thought. – TimD Dec 27 '15 at 18:46

1 Answers1

0

I originally added this as a comment but this is truly an answer:

If you use parameters to update your DB SQL injection attacks will be foiled. It's only when you use adhoc SQL text queries that you are vulnerable like that.

Here is a link:

How can I prevent SQL injection in PHP?

Community
  • 1
  • 1
T McKeown
  • 12,971
  • 1
  • 25
  • 32
  • Ah PDO. This project/exam is running with old school mysql_* since it's based on older code that I started back around 2010. Just need the grade for it, so I'm overlooking the PDO. However, given that PDO does most SQL validation for you, I will take your advice and re-write it into PDO. –  Dec 27 '15 at 18:31
  • it's the only real option for you. – T McKeown Dec 27 '15 at 18:34