...

View Full Version : Storing php code in a mysql table



Andy92
08-24-2007, 02:30 PM
Hi there,

I am developing a private message system on my website, but the thing is, i have it at the moment so users cant send code in their private messages.

Because if they write php code into their messages, and i allow them to post it, the messages are stored in mysql databases, and people could write php code to take down my database from the inside, or write php code to refresh the page every second etc.

How do i store code in mysql, so that it doesnt take effect? And when i print it, i want it to print the actual code, and not do the code.

Like this...


<? echo "kjdhj"; ?>

I want to store php in mysql, and print it like above, so it doesnt actually just echo kjdhj.

:confused::confused:

Fumigator
08-25-2007, 12:09 AM
Try running the string through htmlentities() (http://us2.php.net/manual/en/function.htmlentities.php).

Andy92
08-25-2007, 12:22 AM
Nice.

Does that work with php also?

What about any sorts of code?

rafiki
08-25-2007, 03:15 AM
mysql_real_escape_string? (http://www.php.net/mysql_real_escape_string)

Boshi
08-25-2007, 03:17 AM
Ahem, just storing the message inside quotes " and " its good enough, as it will be turned into a string and wont get executed unless you use eval on the message. The only things that CAN be executed are Javascripts and HTML tags, nothing else. But yeah, use mysql_real_escape_string on the message too.

Andy92
01-12-2008, 12:56 PM
Ok, got it all working now with htmlentities

Its great!

matak
01-12-2008, 02:58 PM
Ok, got it all working now with htmlentities

Its great!


make sure u use mysql_real_escape_string if you have 3rd party users who are able to insert data in mysql.

strange, i'm 3rd person who mentioned this and no answer of OP on it.. :?

lol, this thread is 4 months old

Inigoesdr
01-12-2008, 08:05 PM
He works slow. :p

Andy92
01-13-2008, 09:43 PM
I dont work slow, i just forogt about this thread, then i remembered that there was a way to do it when i came back to it, so i searched for this thread again.

Also, what d you mean use mysql_real_escape?

Basically, i am allowing users to post comments at my blog, then when they submit it, it scans it for htmlentities

:)

matak
01-13-2008, 10:55 PM
htmlentities won't protect you from mysql injections. :)

hammer65
01-14-2008, 05:39 PM
Even in this case I wouldn't use document specific encoding for values in a database. Do the encoding on output to the page, but encoding data on input in that way pollutes and bloats your data, but doesn't really benefit security.

mres should be used on all strings used in database queries. However, this has nothing to do with preventing execution of that code. For that, using htmlentities and not running it through eval on output, will ensure that it is treated like nothing other than a string of text.

Andy92
01-14-2008, 10:32 PM
htmlentities won't protect you from mysql injections. :)

How can i protect this from happening then?

ahallicks
01-14-2008, 10:50 PM
mysql_real_escape_string...

Andy92
01-15-2008, 12:53 AM
So, what does this do that is so different to htmlentities??

Digicoder
01-15-2008, 12:59 AM
That makes sure that people can't insert SQL and hack your database, basically.

Inigoesdr
01-15-2008, 02:39 AM
So, what does this do that is so different to htmlentities??
Read the manual pages.. They do two different things. htmlentities (http://php.net/htmlentities)() converts characters with an HTML character entity equivalent into them, and mysql_real_escape_string (http://php.net/mysql_real_escape_string)() escapes characters that would alter your query(quotes, etc.).

Given the string:
test &#169; & 'test'
htmlentities() returns:

test &copy; &amp; 'test'
mysql_real_escape_string() returns:

test &#169; & \'test\'

Andy92
01-15-2008, 06:01 PM
When i put htmlentries on my string it comes out like...


test &copy; &amp; &#39test&#39

Also, the ; is ending the &#39



EZ Archive Ads Plugin for vBulletin Copyright 2006 Computer Help Forum