Balderick Posted October 2, 2016 Share Posted October 2, 2016 My goal is to store javascript code into a database. My first idea was to use htmlspecialchars; store it in mysql in a table column and later retrieve it with htmlspecialchars_decode. All this to prevent injection / hacking. But online I read one or two warnings that it wouldnt work, which I assume is so (I didnt test it, but it seems quite obvious afterwards) . So my question is: is it possible to have a user store javascript in a database and use it in a php script for specific purposes in a secure way? Link to comment Share on other sites More sharing options...
davej Posted October 2, 2016 Share Posted October 2, 2016 If you simply want to hide your Javascript code from people who are not logged in yet then I think there are easier ways to accomplish that. Link to comment Share on other sites More sharing options...
Ingolme Posted October 2, 2016 Share Posted October 2, 2016 You don't need to escape the Javascript, just store it as it is. To the database the Javascript is just plain text. The only real security issue you have is not related to the database at all. It occurs when you put the Javascript back into the HTML page, but since it's Javascript I would assume you intend for it to be executed by the browser. I don't know why you want users to be able to put Javascript on the website, so I can't tell you how to protect from attacks through this vector. We need to know who is allowed to add scripts to the site and who is the one that executes the scripts. The person adding the scripts would be the attacker and the one executing the scripts would be the victim. Link to comment Share on other sites More sharing options...
Balderick Posted October 2, 2016 Author Share Posted October 2, 2016 The type of code I intend to store is to run banners/adverstisments. Link to comment Share on other sites More sharing options...
davej Posted October 2, 2016 Share Posted October 2, 2016 The type of code I intend to store is to run banners/adverstisments. Code written by you or by a trusted party? Link to comment Share on other sites More sharing options...
Balderick Posted October 3, 2016 Author Share Posted October 3, 2016 Code written by you or by a trusted party? the code is not written by me, but what do you mean with a trusted party? Is google adsense code trusted, if you have users copypaste it into your site? Mostoften they wouldnt modify it I assume. But what if .... ? Link to comment Share on other sites More sharing options...
Balderick Posted October 3, 2016 Author Share Posted October 3, 2016 Is there a GOOGLE API for managing banners/ads ? Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now