0

I am storing PHP snippets in a MySQL database, I am using mysql_real_escape_string and all is well unless there is a & in the php code and then I get a MySQL error. Is there another why I should try and store this information?

Thanks

Peter
  • 785
  • 2
  • 7
  • 10

3 Answers3

3

@Peter : unless you're building a website for helping developers, you have no reason to put php code into your database, it's a warning : this is gonna be a big nightmare to maintain/debug. Can't you link your pages to some parameters and then in your code use these parameters to build each request ? it may seems a simple design solution at the beginning "how god I can do whatever I want in all my pages" but it might be the worse you're taking on your poject.

I don't know how to say this but you should really try to consider an other solution. And i'm not speaing about security : if you have an SQL Injection the guy can execute SQL AND php so he can really take all your system/server down, or even attack bigger site with yours (and then you'll be responsible).

I'm really surprised everyone is fine with it.

remi bourgarel
  • 9,231
  • 4
  • 40
  • 73
0

Use base64_encode when you save snippet into the database and base64_decode when you retreive it.

CristiC
  • 22,068
  • 12
  • 57
  • 89
  • 5
    Don't do it, because search in DB will be impossible. – OZ_ Jun 07 '11 at 10:21
  • 1
    upvoted answer. the OP wants to store code in DB, and base64 encoding is a proper solution. Also, searching the DB won't be impossible, just searching the actual code (why would that be needed anyway?) – J.C. Inacio Jun 07 '11 at 10:24
  • 2
    He can store code in DB without stupid encodings! Pluses of base64 here: none; minuses: search will be disabled, overhead to encode/decode. – OZ_ Jun 07 '11 at 10:28
  • I just tried base64_encode but mysql still only stored up to the & is the problem maybe passing the & via post? – Peter Jun 07 '11 at 10:50
  • Doh .... it works fine if I update the db via php but not with the jquery i was using.... Thanks for your help guys – Peter Jun 07 '11 at 10:53
  • Glad you've worked it out. You should tick Parkyprg's answer for his helping support (the tick on the left hand side of the answer) – Ben Jun 07 '11 at 11:54
  • @Ben I am not using base64_encode the problem was something else altogether – Peter Jun 07 '11 at 12:16
  • 1
    @Peter: Post your solution to the problem here as a new answer, and accept it. – CristiC Jun 07 '11 at 12:53
0

First, I am going to go on record and say I wholeheartedly agree with remi bourgarel. This is likely a bad idea.

But, from a technical standpoint here's how I'd do this IF I NEEDED TO:

$php_code = '
    <?php
        $var = "this is a string";
        $var = strtoupper($var);
        echo $var;
    ?>
';
$php_code = bin2hex($php_code);
$db->query("INSERT INTO php_code_snips (text_code) VALUES(x'{$php_code}')");

bin2hex will transform the string $php_code from a binary string to a hex string, and the x'{$php_code}' tells mysql to expect a hex string.

This means the string is stored as a string in the DB, and is fully searchable. But, since all chars are encoded as hex during the INSERT the special chars won't cause a problem.

Documentation:

bin2hex

Mysql Hex Values

ben
  • 1,946
  • 2
  • 18
  • 26