Search code examples
phphtmlmysqlmarkdownhtmlpurifier

Best practice for storing HTML in mysql DB


I'm working on a mini blog which allows users to add a post using a WYSIWYG editor to the site therefore I will be storing this post in my DB .

Having researched markdown I have come to the conclusion that it is not fit for purpose since I require local video uploaded which is why I am now planning on storing the HTML from the WYSIWYG editor into my DB.

I however do have some concerns regarding SQL injection and XSS attacks however I have researched a solution which is HTML purifier.

If I use HTML purifier to remove unwanted HTML tags is this then a safe solution to store the HTML in my DB?


Solution

  • Storing HTML in the database is not intrinsically unsafe, any more than storing plain text is intrinsically unsafe. The risk of SQL injection is trivially mitigated by using prepared statements and proper placeholders. Escaping is neither necessary nor is it best practice for preventing SQL injection. Prepared statements are.

    Conversely, XSS and other HTML-related vunerabilities have nothing to do with the database and everything to do with rendering HTML to viewers from untrusted sources. The same vulnerabilities would be there if the HTML were simply stored in files, with no database at all, so there is no need to protect the database from malicious HTML. The database has no knowledge of or vulnerability to what's contained in stored HTML content, because it doesn't render or interpret the HTML... again, as long as your database interactions use prepared statements. There are no acceptable justifications for avoiding those.

    To exaggerate the point to an extreme, it would be perfectly safe to store files containing viruses as blobs in a database, because the database does not execute the data stored in it, as code. The vulnerability would be to the users downloading those viruses.