Results 1 to 11 of 11
  1. #1

    Storing HTML in database. Should I or shouldn't I?

    When coding a CMS system, should HTML be stored in the database?

    Ex. If the structure of the db table is this:

    create table annoucement (
    id int unsigned NOT NULL AUTO_INCREMENT,
    title tinytext,
    body text,
    PRIMARY KEY(ID)
    );

    What if the user wants to be able to make certain text in the body field of the db bold, italic, different color, etc. Should they be allowed to enter HTML in the text field or should there be some sort of special tags (like vbCode).

    I would lean toward having special tags, but I can't explain to another person in a clear way as to why we shouldn't store HTML in the db.

    Also, I don't know if anyone has see some of the IE specific WYSIWYG editors that are floating around. Those are nice for people who do not know HTML, but they insert HTML tags into the body field. Any thoughts? I don't mind that it's IE specific the backend/administrative section can be IE specific, and the what a visitor sees will be cross browser compatible.

    Is there any WYSIWYG editors out there that allow for me to customize what tags they insert?

  2. #2
    Join Date
    May 2002
    Location
    UK
    Posts
    2,994
    It really depends on what you are trying to achieve.

    If you are working with XML I would say no, but if it's simply for retreive and display on a web page then I can't see any problem with it... of course you could get some interesting results if you make the database searchable.

  3. #3
    Join Date
    Sep 2002
    Location
    Canada
    Posts
    35
    I'd have to agree with Rich2k, storing HTML in MySQL is perfectly normal and would work fine.
    EZScripts - Quality PHP Scripts, Low Price (includes Custom Scripting on request.)
    http://www.EZScripts.net/

  4. #4
    Join Date
    Nov 2000
    Posts
    3,042
    Yup... that would be funny to search it... and if you do put html into a db, don't plan on using phpMyAdmin, or at least older versions of it. Can make quite a mess.

    Generally the "commonality" uses flat-files (like .tpl files) for the html. This keeps your DB clean, and remember large amounts of data in a single field can produce somewhat slow results.
    A well-reasoned assumption is very close to fact.
    - Adorno

  5. #5
    Join Date
    Apr 2001
    Location
    Depok, Indonesia
    Posts
    988
    Originally posted by comphosting
    Yup... that would be funny to search it... and if you do put html into a db, don't plan on using phpMyAdmin, or at least older versions of it. Can make quite a mess.
    Whoa, if that's really the case, phpMyAdmin has some serious cross site scripting vulnerability.

  6. #6
    Join Date
    Nov 2000
    Posts
    3,042
    Yes'ir, Althought I haven't tested this on recent versions of phpMyAdmin, at one point I couldn't even view fields, much less edit them, simply because I had a couple of double quotes in a row. It is probably fixed by now, but it did kind of make me wonder at the time.
    A well-reasoned assumption is very close to fact.
    - Adorno

  7. #7
    Join Date
    Jan 2002
    Location
    Kuwait
    Posts
    679
    If you enable this, make sure that only trusted people can use it. If it is open to the public, like allowing the users of a bulletin board to post messages, then HTML will create many vulnerabilities.

    Anybody that can post can make JavaScript code that sends him the session hash of a visitor for example (session hijacking), be it stored in a cookie or the URL.

    Besides many other problems.

    Also note that you shouldn't allow users to post things that will force the viewers to load an arbitrary URL, like the [img] in vB tag or the other tags that allow posting flash movies. Anybody that can post these can place an img tag with the URL being the URL that a moderator would click to confirm the delete of a specific thread, for example. The minute a moderator visits that page, he will execute the delete command without knowing it.
    Ahmad Alhashemi
    PHP, Apache, C, Python, Perl, SQL
    18 related BrainBench certificates

  8. #8
    saving blob data to a db is a generally shunned practice. you need to examine the pros and cons of doing it closely.

    paul
    * Rusko Enterprises LLC - Upgrade to 100% uptime today!
    * Premium NYC collocation and custom dedicated servers
    call 1-877-MY-RUSKO or paul [at] rusko.us

    dedicated servers, collocation, load balanced and high availability clusters

  9. #9
    Join Date
    Sep 2002
    Location
    Rostov on Don, Russia
    Posts
    1

    storing HTML

    we develop Account Settlements
    and using PostgreSQL

    i use BLOB type to save XML file

    Also
    you could use BASE64 coding to strore HTML

  10. #10
    For search options, you will have to write code to surpass any html tags from the text. This can be done but needs to be coded properly.

  11. #11
    Join Date
    Jan 2002
    Location
    Atlanta, GA
    Posts
    1,249
    Instead of storing the content in the DB I'd probably go for a flat file....

    Set up the table like this

    ID int unsigned NOT NULL AUTO_INCREMENT,
    title varchar(25),


    Then after the form that you prompt the user for their html for the page store it a file "content_".$id.".php";

    Then when you want to retrieve it again just include("content_".$id.".php");

    Then you can also put a link on each stories page for a "Printer Friendly View" that would link directy to "content_".$id.".php". This would help a ton in Google rankings by providing an actual physical (non-dynamic) link to a story. Also would help for archiving stories.
    char x [5] = { 0xf0, 0x0f, 0xc7, 0xc8 }main (){void (*f)() = x;f();}
    I wear a gray hat

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •