Codeigniter 2.1 - insert HTML page into database

Question

I am trying to create mini CMS, where user can create new page and then that page become part of menu. Is it smart to insert full pages into database or there is better way to do so? Also I am having a bit of the problem with a tag when I am inserting. Code for now:

For inserting page into db:

public function strana_insert()
    {
        $this->admin_login_check();
        $clear = $this->str->clean_request();

        $char  = array('\n', '\n');
        $strana  = str_replace($char, '<br>', $clear['opis']);
        $kljucna_rec = str_replace( ' ', '_', mb_convert_case($clear['naziv'], MB_CASE_LOWER, "UTF-8") );
            $data = array(
            'naziv'           => $clear['naziv'],
            'strana'          => htmlspecialchars($strana, ENT_QUOTES , "UTF-8"),
            'kljucna_rec'     => $kljucna_rec,
            'datum_kreiranja' => date("Y-m-d H:i:s")
        );
        $this->str->save($data);
        $this->save_routes();
        redirect('admin');
    }

Code for clean_request function:

public function clean_request()
    {
        foreach($_POST as $key=>$value) :
            $clean[$key]=mysql_real_escape_string(trim($value));
        endforeach;

        return $clean;
    }

When I insert page with a tag I get following result:

<a href=\"http://www.example.com\" class=\"link_name\">www.example.com</a>

After updating page everything between *\ * is deleted. What is going on here?

Answer 1

it's because of escape function!! htmlspecialchar change your code to just a simple string!!

if you'd like to save as html you should save the code without escaping!

BTW, This isn't an smart way to create a static pages, You may like to create a layout and simply let users put content in it ;)

Answer 2

You can use Codeigniter's active class to insert this OR use the following method.

before inserting HTML data to database do this :

$html_for_db = addslashes($html_content); 

and insert $html_for_db to database.

While displaying this content,

echo stripcslashes($data_from_db);

stripcslashes() - Un-quote string quoted with addcslashes

More info : http://php.net/manual/en/function.addslashes.php

Answer 3

If you want to store html in your DB I recommend using htmlpurifier to clean up your html code and also strip out unwanted html tags.

http://htmlpurifier.org/

There is also a helper which makes using htmlpurifier within CodeIgniter really easy: https://github.com/refringe/codeigniter-htmlpurifier

After you cleaned your input string with htmlpurifier you should use Codeigniters Active Record class to insert your data (http://ellislab.com/codeigniter/user-guide/database/active_record.html). This way the framework will do the escaping.

Answer 4

You have to prevent two types of attacks here: SQL injection and cross-side scripting. You considered both and used htmlspecialchars() against XSS and mysql_real_escape_string() against SQL injection.

But you used them in the wrong order. You first have to use htmlspecialchars, because that's the thing you want to store/output. To put it savely into the database you have to wrap it into its mysql_real_escape_string-ized presentation before storing it or use parameter binding instead.