How should be kept as HTML tags in database?

Question

i create my new site. Now i learn and use Symfony. I have few questions.

1. Why default Symfony allow add HTML tags to database? For example i create new module, i go to module/new, in title i enter <strong>test</strong> and next save it. In database MySQL i have <strong>test</strong>. Is it safe?
2. I know - if i use simply $test->getTitle() then this render text <strong>test</strong>, but what if i would like add for user comments WYSYWIG and use RawValue()? Users can not close tags </strong> and all site is broken...
3. They can for example steal cookies?
4. Is any safe WYSIWYG editor for Symfony? If i use CKEditor or TinyMCE i am safety?
5. On stackoverflow is WMD markdown, but anywhere can't find it. How he kept html tags in database? **test** ?

Answer 1

There are 2 things to always consider when storing any string in the database:

1. Is it harmful for the databse (always the same solution)
2. Is it harmful for the recipient client (depends on what client that is)

As for #1

You must always sanitize any input towards your database, that helps preventing SQL Injections and other various database attacks.

As for #2

Your recipient client is a browser, you are serving HTML. You must make sure that no unwanted tags are inserted, you could do it in several ways.

• Decide which tags you allow and which you do not, and filter them with PHP before entry. (So for example, all <script> tags are stripped away from the code.
• Disallow ALL tags, and decide on your own specific syntax (Like SO **bold** or [links][http://google.com]), and store that. When getting it out of the database, parse it with PHP or JavaScript and server that to the client.

There are plenty of other solutions, be creative.

Answer 2

1a) Safe for what? As long as your database operations sanitize all user input via mysql_real_escape_string() before insertion into queries, then there's no way a malicious user could attack your database via injection attacks. HTML in the database is like anything other piece of text in the database - it's just text with some extra "weird" characters.

1b) As for why it allows it, did you explicitly tell it to NOT allow html? PHP/Symphony/MySQL do exactly as you tell them to.

2) Ensuring that the HTML is valid is up to you. You can use things like HTML Purifier to fix "broken" html.

3) If you're doing HTML sanitization/filtration, then a user can embed <script> blocks into the html they're adding and steal cookies via that method...

4) Those editors are just editors. They display stuff and let you (or others) edit that displayed material. They're as safe or unsafe as you want them to be. They're just tools. If you provide a loaded gun to someone, then don't be surprised if someone gets shot.

5) Just because some text has tags in it, of any sort, doesn't make that text magically "different" from other text. MySQL doesn't care, need to know, or even HAVE to know that you're inserting markdown'd text into a field. It just stores what you tell it to, and pulls it back out when you want it too.