Hi,
I am pulling data from database to display it to the user. The user can perform some functions like file upload. Now when I let users upload the file, I am storing the path to the file in my database (& not the actual file itself). The path to access the file would be:
<a href = "../folder1/folder2/attachment.zip">Download attachment</a>
I am storing this file on my server (not in my database).
I am using the following query to display the data from database:
echo htmlentities($rows['message']);
The problem is that when I try to display the data from database, the htmlentities function is not letting me make the link clickable whereas I want users to be able to click the link to be able to download the attachment.
It is displaying the data as:
<a href = "../folder1/folder2/attachment.zip">Download attachment</a>
whereas I want it to display as:
Download attachment
even after passing through htmlentities. I don’t think using html_entity_decode will do any good as that will revert back any malicious input to its original state. I have data validation in place but still would like to use htmlentities to display the data from database & at the same time make the “Download Attachment” link click able. Any suggestions?
Thank you very much in advance. Looking forward for your replies.
What attacks are you expecting someone to attempt on the current code? I can’t see a good reason to use htmlentities to be honest
Hi,
Thank you for your response. The attacks that I was mentioning about refers to SQL injection, CSS attempts & entry of invalid characters. Some one told me that using htmlentities will remove any bad characters in the data & display it in a proper way. (Better safe than sorry).
Any ideas? Please let me know. Thank you.
htmlentities is only used for sql injection when you’re posting to sql, not when you’re calling from it. you don’t need it here
It is better to protect against SQL injection when the data is inserted rather than retrieved. Use mysql_real_escape_string() to sanitize your data before inserting it into the database.
Oh I see… Thanks to all of you. Simplistik, I guess that’s what would serve my purpose for now…so I am going to try that. djheru, you are right, I use mysql_real_escape_string() to sanitize the data before inserting it into the database along with some other rigorous checks. I still thought of using htmlentities to display data if in any case bad data gets in the DB. Something like <script>alert"HI"</script>.
So I am going to try removing the htmlentities to display data & lets see how that works. Thanks to all of you for your time.
Hi,
Ok, I removed htmlentities for output & modified script as needed & the output is showing as desired. I am using html_entity_decode to be able to display the output correctly. I am using strip_tags, htmlentities & mysql_real_esape_string in the order listed just before inserting the data in the DB.
Now say when someone wants to enter
1
2
3
as input, this data is being stored in the DB as:
1<br />2<br /><br />3
I am using html_entity_decode to display it correctly as:
1
2
3
But what concerns me now is what if I need to search for some data? How can i search effectively if the data is stored as
1<br />2<br /><br />3
???
I think my search function will fail miserably under such circumstances. Would really appreciate if anyone has solution for this. Looking forward for your replies. Thank you.
When you search use html_entity_decode and search on that instead of the pure database fields - if you are doing the search in SQL then this isn’t really possible
Alternatively you could store the items in 2 fields, one with the full HTML code, and one with the codes removed which is searchable
Finally: I wouldn’t store the entire link as you are doing - why do you need to store the entire link code? Why don’t you just store the path portion which is the only part which is going to be dynamic and generate the link from PHP or an HTML template fed into a PHP page/class
i.e. just store [COLOR=#008000]…/folder1/folder2/attachment.zip in the database[/COLOR]
The database is there to store data, the PHP is there to manipulate the data and produce output, the HTML is there for display purposes - if you keep these 3 elements seperate to their intended purposes you won’t have this problem
Hi,
Thanks for the reply. The reason why I would input the total link rather than just the path is that both the text messages & the path go into the same field. When that happens, there is no way to distinguish between the message & the link, unless we write some complicated code for it. The user might submit messages or upload attachment, all this data is being fed to the same field in the table along with the other fields. So that’s the reason why I am doing that.
If I need to maintain 2 fields, one for clean messages & the other for html encoded, don’t you think that is going to increase the size of the database greatly as it leads to duplication? The field can contain about 5000 characters at one time & if I maintain an identical field with the necessary changes, I think it’s going to be pretty heavy by the end of the day. What do you say? This made me wonder about how once can implement search functionality in their site ? Hope my questions make sense.
Look forward for your replies. Thanks very much.
I’m not sure I understand where you are coming from with the whole text-messages and path thing…
How does the actual input bit look? Does the user enter some notes for the upload or something or does the user have the ability to enter a note or upload a file (one or the other)?
Can you post a screenshot of the submission form(s) or explain exactly what the user can input - I’m sure there are simpler ways round this problem you are facing
Hi,
Apologize if my post was confusing, let me try to put it in a simple way. Here it goes:
- The user can send messages. They can type all what they want in the textarea. Along with that, they might have some word document or any other attachment that they would like to send across. For this reason, they are provided with an optional file upload form. They may send only messages or only attachment or both at the same time. All this data is going into the same field.
- You can say that they are writing some notes, in fact, you almost got there. I think this is solved if I use 2 fields, rather than just 1, one for the message & the other for the attachment.
Hope I am clear now. Look forward for your suggestions. Thank you.
Yes I would store the link to the attachment in one field (but just the path, rather than the full link) and store the notes in a seperate field. The database size won’t be impacted at all - it means that you can also search effectively on filename and on note information without having to worry about escaping characters
Appreciate the info. I will follow that. I will let you know just in case I get stuck somewhere.
Thanks very much.
Thanks to all of you.
