0

How would I be able to insert code snippet into a database and then display that code in a textarea identically to when I inserted it.

When comparing the code in & out, they are never the same, for some reason I can't get it to work.

$db = new sqlite3('test.db');
$r = $db->query("select * from test where id='1'");
$f = $r->fetchArray();

echo "<textarea rows='10' style='width:500px;'>$f[data]</textarea>";
$db->close();

this is the code I'm testing 

't apple \n\r 

♦   &diams; &#9830; black (solid) diamond suit

<textarea></textarea>
$£%^&*()!@">RWH{{@£})"":?'
<form>dfddf
<input type="button">
</form>

How can I insert it into the database correctly to display the data identically within the textarea?

Kire
  • 3
  • 1
  • You must output encode the data before inserting it into html, this will otherwise break with some characters and is a XSS security risk. – eckes Nov 09 '17 at 03:59
  • Hi eckes, thankyou for replying, how do I encode it?, before passing inserting it into a database, and how do I decode it to be identical? without any of the code executing or changing just like in the question, the code is there as I inserted it, I want to achieve that. – Kire Nov 09 '17 at 04:10
  • htmlentities() - http://php.net/manual/en/function.htmlentities.php – Airerr Nov 09 '17 at 04:10
  • What's the string you are storing on your database? – Sam Nov 09 '17 at 04:21
  • Hi Airerr, that works, it displays the code **identically**, thankyou – Kire Nov 09 '17 at 04:23
  • Hi Samuel, it's a snippet, to be it html, javascript, php, or anything as long as it remains identical to when it was inserted without executing or changing the inserted data. – Kire Nov 09 '17 at 04:26
  • No problem Kire, I added an answer with a simple string with `html` code in it... using `htmlentities` – Sam Nov 09 '17 at 04:35

1 Answers1

0

Highly recommend not storing code in your database, this can lead to some pretty serious security flaws, but you can use htmlentities() when adding the code to the database.

Keep in mind this is not going to make you fully secure, however, it will at least change the tags to symbols.

htmlentities — Convert all applicable characters to HTML entities

This will do what you need to be done to store the result in your database:

$string = '<h1>This is a Heading 1</h1>';

Now when running your sql query, add the htmlentities function with your string:

htmlentities($string);

If you print that you will see:

<h1>This is a Heading 1</h1>

Instead of:

This is a Heading 1

Community
  • 1
  • 1
Sam
  • 2,856
  • 3
  • 18
  • 29
  • Hi Samuel, I see what you are saying, through googling encode, would encoding it with **base64_encode** before passing it into the database, then using **htmlentities(base64_decode($f[data]))** to display, if I did that how serious would the security flaw be then? – Kire Nov 09 '17 at 04:45
  • There's various layers of risks you have to be concerned about, pulling the data from the database is usually less of a risk, the biggest problem comes when storing data in your database, read this for more information: http://php.net/manual/en/security.database.sql-injection.php – Sam Nov 09 '17 at 04:57
  • If you use prepared statements you do not need to base64 encode the data you write to the DB. I would store it unencoded and unescaped in the DB to keep the data portable. – eckes Nov 09 '17 at 06:13
  • Hi Samuel, I hear what you are saying, what if I prepare the sql, by using bindParam? like: http://php.net/manual/en/pdo.prepared-statements.php and use htmlentities on data and then insert the data, would that way be safer? – Kire Nov 09 '17 at 06:18
  • Hi eckes, I recreated the query to use prepared, I places the snippet into the db and it was identical, it also executed javascript code identically too, so that must of been the xss attack you have talked about, you said I should store it unencoded and unescaped, does that mean I use htmlentities on display to stop any xss attacks? – Kire Nov 09 '17 at 06:23
  • This is a good site while browsing xss: https://paragonie.com/blog/2015/06/preventing-xss-vulnerabilities-in-php-everything-you-need-know – Kire Nov 09 '17 at 07:08
  • Thankyou all, I feel satisfied with using pdo,prepare,bindParam when inserting and using htmlentities when displaying, if there is anything else that I need to, would you please comment, thankyou. – Kire Nov 09 '17 at 07:10
  • @kire good mate, I'm sorry I hadn't seen your last few messages – Sam Nov 09 '17 at 15:04