Importing HTML

Hi All,

I've been going great guns learning PHP and MySQL, It's great!
Stumbling accross a problem though...

I'm creating a Dynamic Administrator style script for my websites and need
the ability to import and store small pieces of HTML, typically for Headers
and Footers.

Any recommendations for security?
eg should these be stored in html / text files or perhaps in the MySQL
database? (I'm thinking the latter to prevent them being accessed?)

Plus is there anyway to automate the import so that PHP will automatically
includes slashes before quotation marks (") in the HTML to prevent PHP
confusion?

Any help appreciated.

Thanks

prx

Re: Importing HTML

RJ wrote:

> Hi All,
>
> I've been going great guns learning PHP and MySQL, It's great!
> Stumbling accross a problem though...
>
> I'm creating a Dynamic Administrator style script for my websites and need
> the ability to import and store small pieces of HTML, typically for
> Headers and Footers.
>
> Any recommendations for security?
> eg should these be stored in html / text files or perhaps in the MySQL
> database? (I'm thinking the latter to prevent them being accessed?)
>
> Plus is there anyway to automate the import so that PHP will automatically
> includes slashes before quotation marks (") in the HTML to prevent PHP
> confusion?

Probably the safest way to do this is to store the html/text files outside
your web root and make them readable only by your web server process.
However, in many cases such overcautious security paranoia is not
necessary.

Personally, I prefer storing html in the database. You insert the html after
performing addslashes() on it, and when you want to display it, just do a
stripslashes() before sending to the browser. It works great for me and
allows me to easily edit things right out of my admin interface. You have
to be careful here though. If your database gets compromised, someone can
insert at arbitrary places and so gain access to much more
than just the database, which could ruin your entire site or cause even
more damage. Make sure that you guard against this by not performing any
type of eval() on database-obtained html, or strip all PHP code with a
regex replace before rendering.

A

Re: Importing HTML

RJ wrote:
> Any recommendations for security?
> eg should these be stored in html / text files or perhaps in the MySQL
> database? (I'm thinking the latter to prevent them being accessed?)

I think stored in files more better, because it can be accessed more
faster. In order to prevent being accessed you can use .htaccess so
only the php program can access them.

--
http://www.mastervb.net
http://www.padbuilder.com

Re: Importing HTML

"Littlefire" wrote >

> Probably the safest way to do this is to store the html/text files outside
> your web root and make them readable only by your web server process.
> However, in many cases such overcautious security paranoia is not
> necessary.
>
> Personally, I prefer storing html in the database. You insert the html
> after
> performing addslashes() on it, and when you want to display it, just do a
> stripslashes() before sending to the browser. It works great for me and
> allows me to easily edit things right out of my admin interface. You have
> to be careful here though. If your database gets compromised, someone can
> insert at arbitrary places and so gain access to much more
> than just the database, which could ruin your entire site or cause even
> more damage. Make sure that you guard against this by not performing any
> type of eval() on database-obtained html, or strip all PHP code with a
> regex replace before rendering.
>
Thanks, I'll give it a go.

RJ