Jump to content

store javascript in a database column


Balderick

Recommended Posts

My goal is to store javascript code into a database. My first idea was to use htmlspecialchars; store it in mysql in a table column and later retrieve it with htmlspecialchars_decode.

 

All this to prevent injection / hacking. But online I read one or two warnings that it wouldnt work, which I assume is so (I didnt test it, but it seems quite obvious afterwards) .

 

So my question is: is it possible to have a user store javascript in a database and use it in a php script for specific purposes in a secure way?

Link to comment
Share on other sites

You don't need to escape the Javascript, just store it as it is. To the database the Javascript is just plain text.

 

The only real security issue you have is not related to the database at all. It occurs when you put the Javascript back into the HTML page, but since it's Javascript I would assume you intend for it to be executed by the browser.

 

I don't know why you want users to be able to put Javascript on the website, so I can't tell you how to protect from attacks through this vector. We need to know who is allowed to add scripts to the site and who is the one that executes the scripts. The person adding the scripts would be the attacker and the one executing the scripts would be the victim.

Link to comment
Share on other sites

 

Code written by you or by a trusted party?

 

the code is not written by me, but what do you mean with a trusted party?

 

Is google adsense code trusted, if you have users copypaste it into your site?

 

Mostoften they wouldnt modify it I assume. But what if .... ?

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...