html tags in mysql value fields, is that right?

Question

I was looking at status.net source code and mysql tables, and they seem to have html tags in their mysql field values. I was just wondering is that right thing to do or is it going to cause some problems in the future?

Answer 1

Short answer: Depends

Long answer: This practice is quite common and often unavoidable.

Think about blog posts: the HTML code that is in it marks up the content cannot be separated from the content itself.

Possible issues:

Javascript injection. If I can inject malicious HTML code into your database, I could create links to malware or javascript commands that help install viruses or trojans.

There's always a trade-off.

Answer 2

It depends on where it will be used. It isn't an issue if the intention is to have arbitrary html there. Especially not if the developers and admins are the only ones who can put it in there.

On the other hand, if for example a user of your system managed to put it there and also used the opportunity to put in a script-tag and a reference to their own scripts you might very well be in big trouble (if you don't escape the strings before you render them on your site).

Answer 3

A database can be used for storing just like the filesystem. So in most cases it's not a problem if you store HTML.

Lets take the articles of an WordPress blog as an example. It's definitely OK to store them in the database.

Answer 4

i would like to take the opportunity to quote the favorite sentence of my old it-teacher:

Oh, it depends.

without knowing where and why the tags are stored in a db, it's hard to say if this is a good ideo...