|
Posted by Littlefire on 10/11/82 11:49
RJ wrote:
> Hi All,
>
> I've been going great guns learning PHP and MySQL, It's great!
> Stumbling accross a problem though...
>
> I'm creating a Dynamic Administrator style script for my websites and need
> the ability to import and store small pieces of HTML, typically for
> Headers and Footers.
>
> Any recommendations for security?
> eg should these be stored in html / text files or perhaps in the MySQL
> database? (I'm thinking the latter to prevent them being accessed?)
>
> Plus is there anyway to automate the import so that PHP will automatically
> includes slashes before quotation marks (") in the HTML to prevent PHP
> confusion?
Probably the safest way to do this is to store the html/text files outside
your web root and make them readable only by your web server process.
However, in many cases such overcautious security paranoia is not
necessary.
Personally, I prefer storing html in the database. You insert the html after
performing addslashes() on it, and when you want to display it, just do a
stripslashes() before sending to the browser. It works great for me and
allows me to easily edit things right out of my admin interface. You have
to be careful here though. If your database gets compromised, someone can
insert <?php ... ?> at arbitrary places and so gain access to much more
than just the database, which could ruin your entire site or cause even
more damage. Make sure that you guard against this by not performing any
type of eval() on database-obtained html, or strip all PHP code with a
regex replace before rendering.
A
[Back to original message]
|