Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Page 1 of 2 12 LastLast
Results 1 to 15 of 17
  1. #1
    Regular Coder Andy92's Avatar
    Join Date
    Nov 2005
    Location
    Horsham, West Sussex, UK
    Posts
    363
    Thanks
    7
    Thanked 1 Time in 1 Post

    Storing php code in a mysql table

    Hi there,

    I am developing a private message system on my website, but the thing is, i have it at the moment so users cant send code in their private messages.

    Because if they write php code into their messages, and i allow them to post it, the messages are stored in mysql databases, and people could write php code to take down my database from the inside, or write php code to refresh the page every second etc.

    How do i store code in mysql, so that it doesnt take effect? And when i print it, i want it to print the actual code, and not do the code.

    Like this...

    PHP Code:
    <? echo "kjdhj"?>
    I want to store php in mysql, and print it like above, so it doesnt actually just echo kjdhj.


  • #2
    UE Antagonizer Fumigator's Avatar
    Join Date
    Dec 2005
    Location
    Utah, USA, Northwestern hemisphere, Earth, Solar System, Milky Way Galaxy, Alpha Quadrant
    Posts
    7,691
    Thanks
    42
    Thanked 637 Times in 625 Posts
    Try running the string through htmlentities().

  • #3
    Regular Coder Andy92's Avatar
    Join Date
    Nov 2005
    Location
    Horsham, West Sussex, UK
    Posts
    363
    Thanks
    7
    Thanked 1 Time in 1 Post
    Nice.

    Does that work with php also?

    What about any sorts of code?

  • #4
    Senior Coder rafiki's Avatar
    Join Date
    Aug 2006
    Location
    Floating around somewhere...
    Posts
    2,042
    Thanks
    19
    Thanked 42 Times in 42 Posts

  • #5
    New Coder
    Join Date
    Jul 2007
    Location
    Latin America
    Posts
    25
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Ahem, just storing the message inside quotes " and " its good enough, as it will be turned into a string and wont get executed unless you use eval on the message. The only things that CAN be executed are Javascripts and HTML tags, nothing else. But yeah, use mysql_real_escape_string on the message too.

  • #6
    Regular Coder Andy92's Avatar
    Join Date
    Nov 2005
    Location
    Horsham, West Sussex, UK
    Posts
    363
    Thanks
    7
    Thanked 1 Time in 1 Post
    Ok, got it all working now with htmlentities

    Its great!

  • #7
    Banned
    Join Date
    Apr 2007
    Posts
    428
    Thanks
    29
    Thanked 5 Times in 5 Posts
    Quote Originally Posted by Allsortgroup View Post
    Ok, got it all working now with htmlentities

    Its great!
    make sure u use mysql_real_escape_string if you have 3rd party users who are able to insert data in mysql.

    strange, i'm 3rd person who mentioned this and no answer of OP on it.. :?

    Edit: lol, this thread is 4 months old
    Last edited by matak; 01-12-2008 at 02:00 PM.

  • #8
    Super Moderator Inigoesdr's Avatar
    Join Date
    Mar 2007
    Location
    Florida, USA
    Posts
    3,638
    Thanks
    2
    Thanked 404 Times in 396 Posts
    He works slow.

  • #9
    Regular Coder Andy92's Avatar
    Join Date
    Nov 2005
    Location
    Horsham, West Sussex, UK
    Posts
    363
    Thanks
    7
    Thanked 1 Time in 1 Post
    I dont work slow, i just forogt about this thread, then i remembered that there was a way to do it when i came back to it, so i searched for this thread again.

    Also, what d you mean use mysql_real_escape?

    Basically, i am allowing users to post comments at my blog, then when they submit it, it scans it for htmlentities



  • #10
    Banned
    Join Date
    Apr 2007
    Posts
    428
    Thanks
    29
    Thanked 5 Times in 5 Posts
    htmlentities won't protect you from mysql injections.

  • #11
    Regular Coder
    Join Date
    Dec 2007
    Location
    Nebraska
    Posts
    113
    Thanks
    0
    Thanked 2 Times in 2 Posts
    Even in this case I wouldn't use document specific encoding for values in a database. Do the encoding on output to the page, but encoding data on input in that way pollutes and bloats your data, but doesn't really benefit security.

    mres should be used on all strings used in database queries. However, this has nothing to do with preventing execution of that code. For that, using htmlentities and not running it through eval on output, will ensure that it is treated like nothing other than a string of text.
    Deliver yesterday, code today, think tomorrow.

  • #12
    Regular Coder Andy92's Avatar
    Join Date
    Nov 2005
    Location
    Horsham, West Sussex, UK
    Posts
    363
    Thanks
    7
    Thanked 1 Time in 1 Post
    Quote Originally Posted by matak View Post
    htmlentities won't protect you from mysql injections.
    How can i protect this from happening then?

  • #13
    Senior Coder ahallicks's Avatar
    Join Date
    May 2006
    Location
    Lancaster, UK
    Posts
    1,134
    Thanks
    1
    Thanked 57 Times in 55 Posts
    mysql_real_escape_string...
    "write it for FireFox then hack it for IE."
    Quote Originally Posted by Mhtml View Post
    Domains are like women - all the good ones are taken unless you want one from some foreign country.
    Reputation is your friend

    Development & SEO Tools

  • #14
    Regular Coder Andy92's Avatar
    Join Date
    Nov 2005
    Location
    Horsham, West Sussex, UK
    Posts
    363
    Thanks
    7
    Thanked 1 Time in 1 Post
    So, what does this do that is so different to htmlentities??

  • #15
    New Coder
    Join Date
    Sep 2007
    Location
    US
    Posts
    88
    Thanks
    4
    Thanked 4 Times in 4 Posts
    That makes sure that people can't insert SQL and hack your database, basically.
    I need to find a book about all this stuff. God, thats gonna be one big book!

    http://www.gamezftw.com
    Play On!


  •  
    Page 1 of 2 12 LastLast

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •