Storing HTML and PHP in MySQL

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
rhecker
Forum Contributor
Posts: 178
Joined: Fri Jul 11, 2008 5:49 pm

Storing HTML and PHP in MySQL

Post by rhecker »

I want to safely store PHP and HTML in MySQL, then use eval() to the run the code when it's called from the database.

To accomplish this, I used mysql_real_escape_string and htmlspecialchars on data going into the database, then htmlspecialchars_decode and stripslashes on the data coming out, before using eval()

The problem I have encountered is that carriage returns and new lines get converted to \r and \n going in, but coming out, the slashes are stripped, leaving the r's and n's as text.

I must be approaching this the wrong way. Can someone point me in the right direction?
User avatar
Eran
DevNet Master
Posts: 3549
Joined: Fri Jan 18, 2008 12:36 am
Location: Israel, ME

Re: Storing HTML and PHP in MySQL

Post by Eran »

I must be approaching this the wrong way
Probably - there is almost never a good reason to store PHP code in a database and run it with eval().

If you could explain your requirements, maybe someone could offer a better solution. Why aren't you using include() / require() to include scripts?
User avatar
AbraCadaver
DevNet Master
Posts: 2572
Joined: Mon Feb 24, 2003 10:12 am
Location: The Republic of Texas
Contact:

Re: Storing HTML and PHP in MySQL

Post by AbraCadaver »

rhecker wrote:I want to safely store PHP and HTML in MySQL, then use eval() to the run the code when it's called from the database.

To accomplish this, I used mysql_real_escape_string and htmlspecialchars on data going into the database, then htmlspecialchars_decode and stripslashes on the data coming out, before using eval()

The problem I have encountered is that carriage returns and new lines get converted to \r and \n going in, but coming out, the slashes are stripped, leaving the r's and n's as text.

I must be approaching this the wrong way. Can someone point me in the right direction?
Don't use stripslashes() coming out.
mysql_function(): WARNING: This extension is deprecated as of PHP 5.5.0, and will be removed in the future. Instead, the MySQLi or PDO_MySQLextension should be used. See also MySQL: choosing an API guide and related FAQ for more information.
rhecker
Forum Contributor
Posts: 178
Joined: Fri Jul 11, 2008 5:49 pm

Re: Storing HTML and PHP in MySQL

Post by rhecker »

Not using stripslashes coming out leaves the slashes in, so that's not a solution.

I wonder what the argument is against using eval(). I realize the code could be put in includes.
Here's the code for my little test app.

Code: Select all

if ($_POST['start']){
foreach ($_POST as $k=>$v){	
$v = htmlspecialchars($v);	
$v = mysql_real_escape_string($v);
$_POST[$k] = $v;
}	
extract ($_POST);
$start2= $start;
$start3 = htmlspecialchars_decode($start);
$start3=stripslashes($start3);
}?>
<form action="#" method="post">
<p>Start<br/>
<textarea name="start" cols="30" rows="5"></textarea></p>
<p>No cleanup<br/>
<textarea name="2" cols="30" rows="5"><? echo $start2 ?></textarea></p>
<p><?php echo $start2 ?></p>
<p>With cleanup<br/>
<textarea name="3" cols="30" rows="5"><? echo $start3 ?></textarea></p>
<p><?php echo $start3 ?></p>

<input name="submit" type="submit" value="submit" />
</form>
Last edited by rhecker on Tue Oct 26, 2010 11:12 am, edited 1 time in total.
User avatar
Eran
DevNet Master
Posts: 3549
Joined: Fri Jan 18, 2008 12:36 am
Location: Israel, ME

Re: Storing HTML and PHP in MySQL

Post by Eran »

It depends on what you are using eval() for - if it's for code generated by user, you have a major security hazard on your hands. If it's for your own code - it really complicates development. It is much easier to work with files instead of a database. How do you edit your code? you can't use an IDE of text editor directly on it, do you edit it through a database GUI?
User avatar
AbraCadaver
DevNet Master
Posts: 2572
Joined: Mon Feb 24, 2003 10:12 am
Location: The Republic of Texas
Contact:

Re: Storing HTML and PHP in MySQL

Post by AbraCadaver »

rhecker wrote:Not using stripslashes coming out leaves the slashes in, so that's not a solution.
No, not unless you are adding them with something other than mysql_real_escape_string. magic_quotes maybe?

If you insert mysql_real_escape_string("What's up?") into your db, then select it from your db and echo it, you'll get What's up? not What\'s up? unless magic_quotes_runtime is enabled (doubtful).
mysql_function(): WARNING: This extension is deprecated as of PHP 5.5.0, and will be removed in the future. Instead, the MySQLi or PDO_MySQLextension should be used. See also MySQL: choosing an API guide and related FAQ for more information.
rhecker
Forum Contributor
Posts: 178
Joined: Fri Jul 11, 2008 5:49 pm

Re: Storing HTML and PHP in MySQL

Post by rhecker »

Regarding stripslashes, you can run the code I provided above, take out stripslashes and see what happens.

Here is the reason I am interested in using eval():
I want to have websites that have a single "page," so that the page_id and other variables determine what is sent to that one index.php page. Then the CMS is used to determine what content will fill the page. Rather than having includes that are relevant to just a single page instance, it seemed easier to manage to just put the code right in the content stored in the database. Of course in instances where the code would be used in more than one place, an include or a function would make better sense.

Users would never enter PHP although administrators would be able to enter HTML through a secure section.
User avatar
AbraCadaver
DevNet Master
Posts: 2572
Joined: Mon Feb 24, 2003 10:12 am
Location: The Republic of Texas
Contact:

Re: Storing HTML and PHP in MySQL

Post by AbraCadaver »

Your code is not accurate because your server is escaping the posted data, ala my statement about magic_quotes. You need to remove the slashes from the post array. I hadn't really looked at your code to see that it has nothing to do with mysql yet, but here is a working example:

Code: Select all

$start2 = $start3 = '';

if ($_POST['start']){
	if(get_magic_quotes_gpc()) {
		$_POST = array_map('stripslashes', $_POST);
	}
	$_POST = array_map('mysql_real_escape_string', $_POST);
	$start2 = $_POST['start'];
        // don't do this:
	$start3 = stripslashes($start2);
}
The slashes that you see in $start2 will not be inserted into the db. It is only used to escape the quote to allow it to be inserted.

Also, there is no reason to use htmlentities() to store in the db. Use htmlentities() to display data if you want to insure that malicious HTML/CSS/JS etc. isn't rendered.
mysql_function(): WARNING: This extension is deprecated as of PHP 5.5.0, and will be removed in the future. Instead, the MySQLi or PDO_MySQLextension should be used. See also MySQL: choosing an API guide and related FAQ for more information.
Post Reply