[Resolved] [Resolved] storing html / php mixed

juschillinnow

This title has been posted several times by various people and I've looked at all of them. But once and for all, What is the best means of preparing html/php code for storage in mysql.

htmlentities / unhtmlentities
addslashes / stripslashed
htmlspecialchars
etc

What does this forum use to prepare the posts for storage on the db?

AstroTeg

Depends on your needs, although you mentioned "forum" so my approach would be to clean up the input (aka: forum post) before putting it in the database. That would mean strip out any html characters (or convert them to html entities) and escape the string if needed to fit nicely in the SQL query. Once the string is in, then you know its been validated and you don't have to worry about. Displaying it would be a matter the UBB. Although I could see the arguement of parsing out the UBB first and then tossing the HTML in. You'd only have to convert it back to UBB if the user decided to edit their post, which happens, but probably not as often as the post is displayed.

Basically, there's several ways to do this and I think as long as it works, you're fine.

Shrike

IMO you shouldn't ever need to put PHP in a database. HTML is more questionable but ideally content and structure should be separate too. At least to my mind 🙂

AstroTeg

Yeah, good point - keep PHP out of the database. Its hard to re-use code if you have to keep querying for it. And why would you want to search or sort your PHP code? An include file would be the smarter way to go.

juschillinnow

it would be for other to input code. and then for others to utilize the code on the site. It would have to be both. Please don't tell me about security issues 🙂 I've read (and done) all of them) ha ha.

Thanks. I didn't know if there was a "standard" for doing this, or if it's just user based.

AstroTeg

Templates. That would be a better fit for you. Let the user enter "tokens" and you swap out the tokens with the PHP output (but store the tokens in the database unless you want to get into caching).

Otherwise, you'd have to do a heck of a lot of house cleaning to remove sinister PHP functions or lock the user down to a strict subset of PHP functions. Your server and your site so I'm sure you thought about this...