Jump to content

store javascript in a database column


Recommended Posts

My goal is to store javascript code into a database. My first idea was to use htmlspecialchars; store it in mysql in a table column and later retrieve it with htmlspecialchars_decode.

 

All this to prevent injection / hacking. But online I read one or two warnings that it wouldnt work, which I assume is so (I didnt test it, but it seems quite obvious afterwards) .

 

So my question is: is it possible to have a user store javascript in a database and use it in a php script for specific purposes in a secure way?

Link to post
Share on other sites

You don't need to escape the Javascript, just store it as it is. To the database the Javascript is just plain text.

 

The only real security issue you have is not related to the database at all. It occurs when you put the Javascript back into the HTML page, but since it's Javascript I would assume you intend for it to be executed by the browser.

 

I don't know why you want users to be able to put Javascript on the website, so I can't tell you how to protect from attacks through this vector. We need to know who is allowed to add scripts to the site and who is the one that executes the scripts. The person adding the scripts would be the attacker and the one executing the scripts would be the victim.

Link to post
Share on other sites

 

Code written by you or by a trusted party?

 

the code is not written by me, but what do you mean with a trusted party?

 

Is google adsense code trusted, if you have users copypaste it into your site?

 

Mostoften they wouldnt modify it I assume. But what if .... ?

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
×
×
  • Create New...