View Full Version : Storing php code in a mysql table

08-24-2007, 02:30 PM
Hi there,

I am developing a private message system on my website, but the thing is, i have it at the moment so users cant send code in their private messages.

Because if they write php code into their messages, and i allow them to post it, the messages are stored in mysql databases, and people could write php code to take down my database from the inside, or write php code to refresh the page every second etc.

How do i store code in mysql, so that it doesnt take effect? And when i print it, i want it to print the actual code, and not do the code.

Like this...

<? echo "kjdhj"; ?>

I want to store php in mysql, and print it like above, so it doesnt actually just echo kjdhj.


08-25-2007, 12:09 AM
Try running the string through htmlentities() (http://us2.php.net/manual/en/function.htmlentities.php).

08-25-2007, 12:22 AM

Does that work with php also?

What about any sorts of code?

08-25-2007, 03:15 AM
mysql_real_escape_string? (http://www.php.net/mysql_real_escape_string)

08-25-2007, 03:17 AM
Ahem, just storing the message inside quotes " and " its good enough, as it will be turned into a string and wont get executed unless you use eval on the message. The only things that CAN be executed are Javascripts and HTML tags, nothing else. But yeah, use mysql_real_escape_string on the message too.

01-12-2008, 12:56 PM
Ok, got it all working now with htmlentities

Its great!

01-12-2008, 02:58 PM
Ok, got it all working now with htmlentities

Its great!

make sure u use mysql_real_escape_string if you have 3rd party users who are able to insert data in mysql.

strange, i'm 3rd person who mentioned this and no answer of OP on it.. :?

lol, this thread is 4 months old

01-12-2008, 08:05 PM
He works slow. :p

01-13-2008, 09:43 PM
I dont work slow, i just forogt about this thread, then i remembered that there was a way to do it when i came back to it, so i searched for this thread again.

Also, what d you mean use mysql_real_escape?

Basically, i am allowing users to post comments at my blog, then when they submit it, it scans it for htmlentities


01-13-2008, 10:55 PM
htmlentities won't protect you from mysql injections. :)

01-14-2008, 05:39 PM
Even in this case I wouldn't use document specific encoding for values in a database. Do the encoding on output to the page, but encoding data on input in that way pollutes and bloats your data, but doesn't really benefit security.

mres should be used on all strings used in database queries. However, this has nothing to do with preventing execution of that code. For that, using htmlentities and not running it through eval on output, will ensure that it is treated like nothing other than a string of text.

01-14-2008, 10:32 PM
htmlentities won't protect you from mysql injections. :)

How can i protect this from happening then?

01-14-2008, 10:50 PM

01-15-2008, 12:53 AM
So, what does this do that is so different to htmlentities??

01-15-2008, 12:59 AM
That makes sure that people can't insert SQL and hack your database, basically.

01-15-2008, 02:39 AM
So, what does this do that is so different to htmlentities??
Read the manual pages.. They do two different things. htmlentities (http://php.net/htmlentities)() converts characters with an HTML character entity equivalent into them, and mysql_real_escape_string (http://php.net/mysql_real_escape_string)() escapes characters that would alter your query(quotes, etc.).

Given the string:
test &#169; & 'test'
htmlentities() returns:

test &copy; &amp; 'test'
mysql_real_escape_string() returns:

test &#169; & \'test\'

01-15-2008, 06:01 PM
When i put htmlentries on my string it comes out like...

test &copy; &amp; &#39test&#39

Also, the ; is ending the &#39