Storing HTML in a database

Aso · #1 Jul 2nd, 2008, 13:27

Just having a flick through a Wordpress database, it seems they store the post content with certain markup (such as <b>, <em>, <img> tags etc.) but not <p> (paragraph) tags, instead inserting these at 'runtime' with the use of PHP.

However, I've seen other CMS's simply store the complete HTML in the DB, then just output the chunk when required.

Is there any advantage of either? Surely the latter would save a little processing power?

Another Q - is it common to protect against (SQL) injection when you know the input is coming from an authenticated user? Say, when a logged in author is adding content to the DB? How would you do this if you need to preserve HTML tags?

Cheers for any advice

CloudedVision · #2 Jul 2nd, 2008, 14:09

It seems to me that saving the complete HTML code will save processing power and such, I don't know why wordpress would save it without the <p> tags.

Actually, protecting against SQL injection is only half of it. You also need to protect against the user causing an SQL error because the close out the single quotes too early. So, yes it is common to do that.

Aso · #3 Jul 2nd, 2008, 17:47

Quote:

Actually, protecting against SQL injection is only half of it. You also need to protect against the user causing an SQL error because the close out the single quotes too early. So, yes it is common to do that.

What's the best method for doing so? (I can't believe I didn't think of the user causing errors without intent!)

CloudedVision · #4 Jul 2nd, 2008, 18:44

It depends. If magic_quotes is on, you don't need to do anything. (I usually insert a line in the script to turn it off, it can mess quite a lot of things up) If its off, mysql_escape_string() works nicely.

Just out of curiousity, whats this big project you seem to be doing? A CMS or something of the like?

Aso · #5 Jul 2nd, 2008, 20:15

Quote:

Originally Posted by CloudedVision

If magic_quotes is on, you don't need to do anything. (I usually insert a line in the script to turn it off, it can mess quite a lot of things up) If its off, mysql_escape_string() works nicely.

Cheers for the tip CV

Just wondered if mysql_escape_string was sufficient - having looked it up, the function's now deprecated and mysql_real_escape_string should be used instead.

Quote:

Originally Posted by CloudedVision

Just out of curiousity, whats this big project you seem to be doing? A CMS or something of the like?

Aha! Yes, this is quite new to me (I've worked with open-source kits before, but never really tackled the DB side of things head on).

For this project (a bathroom showcase site) I really needed something quite specific and dead simple

Luckily I've also got Mr Ullman's 'PHP and MySQL for Dynamic Websites' SE which has really helped me out, but it's not quite the same as some dedicated advice @ WF

CloudedVision · #6 Jul 2nd, 2008, 20:31

Quote:

Originally Posted by Aso

Just wondered if mysql_escape_string was sufficient - having looked it up, the function's now deprecated and mysql_real_escape_string should be used instead.

shoot. I knew it contained the word "real" in it.

thanks for the correction

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
Matching HTML And Storing	josephman1988	Other Programming Languages	0	Feb 18th, 2008 13:25
[SOLVED] Help with HTML form to database (mysql/php)!	skuliaxe	PHP Forum	7	Jan 20th, 2008 00:41
How to connect the microsoft access database using HTML page	mazenbluee	Databases	5	Nov 21st, 2007 06:49
php/mysql database fields into html list/menu	csun	PHP Forum	4	Jul 27th, 2007 16:04
storing lists of friends	keyboardcowboy	Website Planning	0	May 22nd, 2007 19:14

		Webforumz.com > Main Forums > Program Your Website > PHP Forum
Storing HTML in a database

The Following User Says Thank You to CloudedVision For This Useful Post:
Aso