如何在MySQL中安全地存储HTML数据? [重复]

时间:2022-12-08 11:38:11

This question already has an answer here:

这个问题在这里已有答案:

So here is the thing, I'm working on my own little PHP based forum software for my college exam (comp. sciences). One thing I found tricky to do is to allow html content. One of the exam requirements is SQL security.

所以这就是事情,我正在为我的大学考试(comp。科学)开发我自己的基于PHP的小论坛软件。我发现棘手的一件事是允许html内容。考试要求之一是SQL安全性。

In my forum I want to allow someone to copy and paste something from the internet, like say a WikiPedia article, with all hyperlinks and font styling to transfer over ones they paste it into the forum textarea.

在我的论坛中,我想允许某人从互联网上复制和粘贴一些东西,比如说一篇WikiPedia文章,所有的超链接和字体样式都可以转移到它们粘贴到论坛textarea中。

I was able to achieve this with use of nicEditor which is a js wysiwyg editor. Now the problem strives from the way I validate the user input. In order to make the input secure it's called in such format.

我能够使用nicEditor实现这一点,这是一个js wysiwyg编辑器。现在问题来自我验证用户输入的方式。为了使输入安全,它以这种格式调用。

parsebbCode(htmlentities(stripslashes($posts_content)))

This pretty much renders everything useless, turning html into plain text. So here is the thing, how can I store the html code in it's default state in MySQL and convert it into rich format ones it's going to the client side, without creating a SQL vulnerability? Or should I just write some BBCODE to parse the basic elements instead?

这几乎使一切变得无用,将html变成纯文本。所以这就是问题,如何将html代码存储在MySQL中的默认状态,并将其转换为丰富的格式,它将转移到客户端,而不会产生SQL漏洞?或者我应该写一些BBCODE来解析基本元素?

1 个解决方案

#1


1  

I originally added this as a comment but this is truly an answer:

我最初将此添加为评论,但这确实是一个答案:

If you use parameters to update your DB SQL injection attacks will be foiled. It's only when you use adhoc SQL text queries that you are vulnerable like that.

如果您使用参数来更新您的数据库SQL注入攻击将被挫败。只有当您使用adhoc SQL文本查询时才会像这样容易受到攻击。

Here is a link:

这是一个链接:

How can I prevent SQL injection in PHP?

如何在PHP中阻止SQL注入?

#1


1  

I originally added this as a comment but this is truly an answer:

我最初将此添加为评论,但这确实是一个答案:

If you use parameters to update your DB SQL injection attacks will be foiled. It's only when you use adhoc SQL text queries that you are vulnerable like that.

如果您使用参数来更新您的数据库SQL注入攻击将被挫败。只有当您使用adhoc SQL文本查询时才会像这样容易受到攻击。

Here is a link:

这是一个链接:

How can I prevent SQL injection in PHP?

如何在PHP中阻止SQL注入?