Tuesday 26 December 2017

php - PDO prepared statements to store html content

itemprop="text">


I'm looking for a way to
handle HTML content within prepared
statements.



My application provides a basic
WYSIWYG Editor and after the user is saving the content my script stores HTML-Data in an
sqlite database.



But if i'am using a prepared
statement my HTML gets -naturally- escaped.



This
is what i've so far:



try
            {


 /* Create databases and open connections
            */
 $dbh = new PDO( 'sqlite:db/coaching.sqlite' );

 /*
            Set Error Mode for Exception Handling */
 $dbh->setAttribute(
            PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION );

 /* Prepare SQL
            Statement */
 $query = $dbh->prepare( "UPDATE Content SET Value=:value
            WHERE Token=:token" );

 /* Bind Param to Statement
            */

 $query->bindParam( ':token', $_POST['id'],
            PDO::PARAM_STR);
 $query->bindParam( ':value', $_POST['value'],
            PDO::PARAM_STR);

 /* Execute Query */

            $query->execute();

 /* Echo Data */
 echo
            $_POST['value'];

 /* Close connections to Database
            */

 $dbh = NULL;

}
catch(
            PDOException $e ) {

 /* Print Error-Messages */
 echo
            $e->getMessage();
}


Answer





Prepared statements do not escape
variables. The command and the variables are transferred to database simultaneously but
independently. If you see your data escaped in database, there's another reason. E.g.
magic_quotes are turned on. Can you echo
get_magic_quotes_gpc in your script to see if they're On or
Off? If they're On, you can set them Off using href="https://stackoverflow.com/questions/517008/how-to-turn-off-magic-quotes-on-shared-hosting">different
techniques. This will solve the
problem.



Additionaly, following your comment,
prepared statements do rel="nofollow noreferrer">prevent SQL injection
attacks so you don't have to worry about escaping your variables. What may be
difficult to understand is the way the prepared statements work. Say you have a
query:



$query = "SELECT `id` FROM
            `users` WHERE `login` = '" . $login . "' AND `password` = '" . $password
            ."'";


$login
and $password are passed to the query directly, as they are. If
someone attempts to pass mylogin' -- to
$login, the query
becomes:



$query = "SELECT `id`
            FROM `users` WHERE `login` = 'mylogin' -- ' AND `password` =
            'anypassword'";



and
is send to the database. This way an attacker can gain access to any
account.



What prepared statements do, they
transfer the query arguments independly of the query. The query is NOT build of the
variables before it is transferred to database. Instead, the variables are transferred
somehow next to the query. They are referenced in the query. This way the query can't be
spoofed neither intentionally nor unintentionally.



With prepared statement the exampled
$login will be transferred as is, and will not affect the query
structure.



If it would be possible to carry
passengers by plane, with passengers actually NOT boarding the plane, that would be
called a "prepared flight" :) Passengers would not be able to influence the route and
hijack the plane. They would have appeared at the target airport with the plane
landing.


-

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

php - file_get_contents shows unexpected output while reading a file

I want to output an inline jpg image as a base64 encoded string, however when I do this : $contents = file_get_contents($filename); print &q...