0

How would I be able to insert code snippet into a database and then display that code in a textarea identically to when I inserted it.

When comparing the code in & out, they are never the same, for some reason I can't get it to work.

$db = new sqlite3('test.db');
$r = $db->query("select * from test where id='1'");
$f = $r->fetchArray();

echo "<textarea rows='10' style='width:500px;'>$f[data]</textarea>";
$db->close();

this is the code I'm testing 

't apple \n\r 

♦   &diams; &#9830; black (solid) diamond suit

<textarea></textarea>
$£%^&*()!@">RWH{{@£})"":?'
<form>dfddf
<input type="button">
</form>

How can I insert it into the database correctly to display the data identically within the textarea?

Improve this question
7
  • You must output encode the data before inserting it into html, this will otherwise break with some characters and is a XSS security risk. Commented Nov 9, 2017 at 3:59
  • Hi eckes, thankyou for replying, how do I encode it?, before passing inserting it into a database, and how do I decode it to be identical? without any of the code executing or changing just like in the question, the code is there as I inserted it, I want to achieve that. Commented Nov 9, 2017 at 4:10
  • htmlentities() - php.net/manual/en/function.htmlentities.php Commented Nov 9, 2017 at 4:10
  • What's the string you are storing on your database? Commented Nov 9, 2017 at 4:21
  • Hi Airerr, that works, it displays the code identically, thankyou Commented Nov 9, 2017 at 4:23

1 Answer 1

Reset to default
0

Highly recommend not storing code in your database, this can lead to some pretty serious security flaws, but you can use htmlentities() when adding the code to the database.

Keep in mind this is not going to make you fully secure, however, it will at least change the tags to symbols.

htmlentities — Convert all applicable characters to HTML entities

This will do what you need to be done to store the result in your database:

$string = '<h1>This is a Heading 1</h1>';

Now when running your sql query, add the htmlentities function with your string:

htmlentities($string);

If you print that you will see:

<h1>This is a Heading 1</h1>

Instead of:

This is a Heading 1

Improve this answer
Sign up to request clarification or add additional context in comments.

8 Comments

Hi Samuel, I see what you are saying, through googling encode, would encoding it with base64_encode before passing it into the database, then using htmlentities(base64_decode($f[data])) to display, if I did that how serious would the security flaw be then?
There's various layers of risks you have to be concerned about, pulling the data from the database is usually less of a risk, the biggest problem comes when storing data in your database, read this for more information: php.net/manual/en/security.database.sql-injection.php
If you use prepared statements you do not need to base64 encode the data you write to the DB. I would store it unencoded and unescaped in the DB to keep the data portable.
Hi Samuel, I hear what you are saying, what if I prepare the sql, by using bindParam? like: php.net/manual/en/pdo.prepared-statements.php and use htmlentities on data and then insert the data, would that way be safer?
Hi eckes, I recreated the query to use prepared, I places the snippet into the db and it was identical, it also executed javascript code identically too, so that must of been the xss attack you have talked about, you said I should store it unencoded and unescaped, does that mean I use htmlentities on display to stop any xss attacks?
|

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.