Database for Content - OK to store HTML?

php html database security
31,482

Solution 1

Like others have pointed out there's nothing dangerous about storing HTML in the DB. But when you display it you need to know the HTML is safe. Seeing as you're the only one editing the HTML I see no problem.

However, I wouldn't store HTML at all. If all you need are headings, paragraphs, lists, links, images etc I'd say Markdown is a perfect fit. The benefit with Markdown is that it looks just like normal text (ie you could send your articles as e-mails or save them as txt-documents), it takes up a lot less space than HTML and you don't have to change it once HTML gets updated.

http://michelf.ca/projects/php-markdown/

Solution 2

Storing HTML code is fine. But if it is not from trusted source, you need to check it and allow a secure subset of markup only. HTML Tidy library will help you with that.

Also, you need to count with a future change in website design, so do not use too much markup, only basic tags. To make it look like you want, use global CSS rules and semantically named classes in the markup.

But even better is to use Markdown or another wiki-like syntax. There are nice JS editors for Markdown with real-time preview (like the one here at Stackowerflow), and you can avoid HTML altogether.

Solution 3

From the security point of view it is not less secure to store your HTML in a database than storing it anywhere else - if you are the only author of that HTML. But then again if other people can author HTML in your website then it doesn't matter where you store it - only how you sanitize it and how and where you display it.

Now whether or not it is an efficient way to store HTML is a completely different matter. If I were you I would use some decent templating system and store HTML in files.

Solution 4

My initial answer to "should I store html in a db" is generally no. Sure it's safe if you know what you're storing, but are you really considering best practices when you ask only that question? The true answer is "It depends".

I'm sure there are things like Wordpress that store html in a database, however, as a professional website designer, I like to remember the Separation of Concerns principle. How reusable is storing html in your database for a mobile app? Is your back end now in charge of display as well as data? Do you have many implementation possibilities for a front end or are you now stuck with whatever the back end portrays, what if you want it a different color and you've stacked ul within ul within ul? How easy is the css styling now? How easy is it to change or update that html?

I could be wrong, but even Sitecore and Kentico may store an html template in a database somewhere, but the data associated with that html template is a model, not directly on the html template.

So, when you are considering this question, you may want to store your models one place and your templates another, that way when you say "hey, lets build a mobile app" you can grab your data and go, rather than creating yet another table to store the same data.

Share:
31,482
Ethosik
Author by

Ethosik

Updated on July 05, 2022

Comments

  • Ethosik
    Ethosik almost 2 years

    Basic question is - is it safe to store HTML in a database if I restrict who can submit to it?

    I have a pretty simple question. I provide video tutorials and other content. Without spending months writing a proper BBCode parser, I would need to store the HTML so I can have it look exactly the way I want when I grab it from the database.

    Basically I plan to store all information in the database about a tutorial series and each episode. I would like to have some formatting for the descriptions for both so I can add multiple paragraphs, ordered and unordered lists, links to required resources, and so on.

    I am using PHP and creating my own database. I am using phpMyAdmin to store the information in the table right now. I will use a user with read only rights when I pull the information in the PHP code.

    What is the best way to do this? Thank you!

  • Ethosik
    Ethosik over 11 years
    So if I only allow for myself to add new entries through phpMyAdmin, it should be fine? I mean if somebody gets my account information to where they can get into phpMyAdmin, I am hosed anyway right?
  • Ethosik
    Ethosik over 11 years
    That is what I am doing. Instead of creating static HTML pages with the content, I am building a template system and the information gets pulled from the database. But the issue is, some tutorials and content will need to have required resources while others will not. So I will need to add HTML anchor tags in the description like Download this file. So I cannot really create a template system when some tutorials require things that others do not. I hope that makes sense.
  • Ethosik
    Ethosik over 11 years
    If I am the only one able to edit and add to the database through phpMyAdmin, will I need to use something like markdown? If somebody has my information to where they can go into phpMyAdmin themselves and add unsafe code, I have other problems right? I will never add an admin section, I will pretty much always do it through phpMyAdmin with queries. And when I read the information, that user will only have read only.
  • powerbuoy
    powerbuoy over 11 years
    That's true, but regardless I would still recommend using Markdown as it's much more like normal text and doesn't limit you to only HTML. It's easier to write, takes up less space in your DB, is totally safe and doesn't need to change when HTML gets updated.
  • Ethosik
    Ethosik over 11 years
    Well I mostly will just use tags like p, ul, ol, li, and a. I will not get too fancy with it because these are just short descriptions I will be dealing with. 90% of them will not have any HTML at all. Do I need to spend quite a bit of time to implement them with markdown? Does this eliminate the possibilty of somebody removing my markdown code and replacing it with HTML tags, or does HTML get parsed as well? I am not building a massive system here. At most I will probably have 300 entries in the entire database, not thousands like with a Forum or something with 10 or 20 with HTML.
  • powerbuoy
    powerbuoy over 11 years
    The Markdown version that I use works like this: echo Markdown($textFromDB) and it comes out as (X)HTML. All you need to do to use it is include 'Markdown.php'. The Markdown syntax is super easy to learn as well and (as I mentioned before) looks more like regular text than a markup language.
  • Josef Kufner
    Josef Kufner over 11 years
    Yes. (If you consider yourself a trusted source.)
  • Ollie Williams
    Ollie Williams about 6 years
    Could you please name some nice Markdown editors that I can incorporate into my site?
  • CarenRose
    CarenRose almost 4 years
    What does "thbb" mean?
  • CarenRose
    CarenRose almost 4 years
    Ahh, I was thinking it was an abbreviation for something.
  • Patrick Knott
    Patrick Knott almost 4 years
    Your point is well made, I replaced thbbb (the sound you make when you place your tongue between your lips and blow) with no.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Problems with creation of database DVWA
MIME Type spoofing
Storing emojis in MySql database. Showing ??? in phpmyadmin
How Mega does to save a file to harddrive without requiring permission
MySQL select records 1 hour ago or fresher on datetime column
How to pass data from form without a form field? (PHP)
Prevent hidden input from being altered
How to display all the images stored inside a database
PHP form not inserting into mySQL database
PHP- Fetch from database and store in drop down menu html