How to insert Javascript code into the database?

Asked

Viewed 1,219 times

4

I’m creating a function bbcode for a blog I am doing and wanted to know if it is possible (and safe) I insert Javascript codes inside my database.

I am working with Mysql.

Another question, I cannot insert single quotes (which are inside the textarea) within the database.

This is the code I’m using for insertion

$sql="INSERT INTO artigo values";
$sql.="('null','".$titulo."','".$mensagem."', NOW())";
php mysql
  • 1

    Why don’t you use files .js even?

  • Solved, treating the string this way: $messaging_escape = str_replace("'", "'", $message);

  • 2

    @Odair Use mysql_real_escape_string instead of str_replace http://www.php.net/manual/en/function.mysql-real-escape-string.php

  • 1

    Thanks @Emersonrochaluiz I will change here, thank you so much for your help!

  • I usually put in the BD in Base64 Encode format the language codes...

2 answers

3


The answer to that depends. Whether secure for your database, or secure for your application.

Database: main SQL Injection attack

If you escape characters and remove codes that could cause a SQL Injection, will be safe for your database.

All languages that work with databases offer features to prevent this type of attack. Read about your language to learn more. It is not complex to avoid this type of attack.

Application: main persistent cross-site scripting (XSS) attack

This question is very complex and depends on a lot of experience with browsers and how a failure can be explored. If you do not know exactly what you are doing. There is a huge chance that a failure can be exploited as you can allow a code javascript to do something harmless, but people use to steal cookies from someone who is viewing the page while their javascript code is available, and the code could send cookies to other websites. This is just one of the examples. But there are many others.

It is complex, if not impossible, to prevent this type of attack. Only trusted users should allow entering javascript without heavy validation.

I strongly recommend to anyone interested to watch the video Douglas Crockford: Principles of Security that explains how complicated this is and gives an idea of how to avoid.

Overview

Unless you have strong reasons to do so and know the implications, or rely heavily on who will enter the javascript code, don’t do this. By default Cmss, as Joomla and Wordpress do not allow to insert javascript, but there are ways to allow javascript to be inserted in the articles, but it is the person who manages the CMS who decides to enable this.

  • Man, thanks for the feedback! I’ll be the one to include the . js in the database, so it’s safe! haha Even thanks.

3

1. Yes, it is possible.

Javascript code is text only. Technically, there is no problem storing it in the database. Whether it is recommended or the best solution is another question.

2. Is it safe? Depends.

It depends completely on the use you intend to give to this code. Where it comes from, where it goes, and how it is used.

In the database, no Javascript execution environment. It’s safe. As said above, it’s just another string text. You will need to take precautions common to any other text content, notably the escape, avoiding vulnerabilities that are independent of the text being "Javascript code" or any other type of text.

Already in the applying, depends a lot, varying from one extreme to another: depending on the use can be dangerous or safe.

To analyze, you need to start by considering: How do you intend to use this code? Who can supply the bank with this code?

The danger of using user-generated Javascript code is that a malicious user can easily program an HTTP request to be made, triggering other functions of your application (for example, simulate the effect of a click on "Like", send the authentication cookie to a remote server, et cetera).

  • Okay, thank you so much for the feedback, I’m trying to enter but I can’t, it doesn’t enter the javascript part?

  • 1

    Odair, you can only answer if you put the code that’s not working on the question. Edit your question, and include the PHP code you are using to try to insert into the database. Probably missing a escape in string containing the code.

  • 1

    Okay @J.Bruni thanks so much for the feedback, I identified the problem that prevented me from inserting, was the simple quotes in my bbcode. But how does this escape? Ah I edited the question, as you recommended! :D

Browser other questions tagged php mysql

You are not signed in. Login or sign up in order to post.