Posted by RJ on 06/06/06 22:51

"Littlefire" <albe@ambientatom.co.za> wrote >

> Probably the safest way to do this is to store the html/text files outside
> your web root and make them readable only by your web server process.
> However, in many cases such overcautious security paranoia is not
> necessary.
>
> Personally, I prefer storing html in the database. You insert the html
> after
> performing addslashes() on it, and when you want to display it, just do a
> stripslashes() before sending to the browser. It works great for me and
> allows me to easily edit things right out of my admin interface. You have
> to be careful here though. If your database gets compromised, someone can
> insert <?php ... ?> at arbitrary places and so gain access to much more
> than just the database, which could ruin your entire site or cause even
> more damage. Make sure that you guard against this by not performing any
> type of eval() on database-obtained html, or strip all PHP code with a
> regex replace before rendering.
>
Thanks, I'll give it a go.

RJ

• Next in forum: Re: Paging with PHP?
• Prev in forum: Re: Learning php Sql
• Thread view: Re: Importing HTML

[Reply to this message]