在 mysql DB 中存储 HTML 的最佳实践 [英] Best practice for storing HTML in mysql DB
问题描述
我正在开发一个迷你博客,它允许用户使用所见即所得编辑器向网站添加帖子,因此我将把这篇帖子存储在我的数据库中.
I'm working on a mini blog which allows users to add a post using a WYSIWYG editor to the site therefore I will be storing this post in my DB .
研究了 markdown 后,我得出的结论是它不适合用途,因为我需要上传本地视频,这就是为什么我现在计划将 WYSIWYG 编辑器中的 HTML 存储到我的数据库中.
Having researched markdown I have come to the conclusion that it is not fit for purpose since I require local video uploaded which is why I am now planning on storing the HTML from the WYSIWYG editor into my DB.
不过,我确实对 SQL 注入和 XSS 攻击有一些担忧,但我研究了一种解决方案,即 HTML 净化器.
I however do have some concerns regarding SQL injection and XSS attacks however I have researched a solution which is HTML purifier.
如果我使用 HTML 净化器删除不需要的 HTML 标签,那么这是将 HTML 存储在我的数据库中的安全解决方案吗?
If I use HTML purifier to remove unwanted HTML tags is this then a safe solution to store the HTML in my DB?
推荐答案
在数据库中存储 HTML 并不是本质上不安全的,就像存储纯文本本质上是不安全的一样.通过使用准备好的语句和适当的占位符,可以轻松降低 SQL 注入的风险.转义既不是必需的,也不是防止 SQL 注入的最佳做法.准备好的语句是.
Storing HTML in the database is not intrinsically unsafe, any more than storing plain text is intrinsically unsafe. The risk of SQL injection is trivially mitigated by using prepared statements and proper placeholders. Escaping is neither necessary nor is it best practice for preventing SQL injection. Prepared statements are.
相反,XSS 和其他与 HTML 相关的漏洞与数据库无关,而与从不受信任的来源向查看者呈现 HTML 相关.如果 HTML 只是存储在文件中,根本没有数据库,那么同样的漏洞也会存在,因此不需要保护数据库免受恶意 HTML 的攻击.数据库不知道存储的 HTML 内容中包含的内容,也不知道它的脆弱性,因为它不会呈现或解释 HTML……同样,只要您的数据库交互使用准备好的语句.没有任何可以接受的理由来避免这些.
Conversely, XSS and other HTML-related vunerabilities have nothing to do with the database and everything to do with rendering HTML to viewers from untrusted sources. The same vulnerabilities would be there if the HTML were simply stored in files, with no database at all, so there is no need to protect the database from malicious HTML. The database has no knowledge of or vulnerability to what's contained in stored HTML content, because it doesn't render or interpret the HTML... again, as long as your database interactions use prepared statements. There are no acceptable justifications for avoiding those.
将这一点夸大到极端,将包含病毒的文件作为 blob 存储在数据库中是完全安全的,因为数据库不会将存储在其中的数据作为代码执行.该漏洞将针对下载这些病毒的用户.
To exaggerate the point to an extreme, it would be perfectly safe to store files containing viruses as blobs in a database, because the database does not execute the data stored in it, as code. The vulnerability would be to the users downloading those viruses.
这篇关于在 mysql DB 中存储 HTML 的最佳实践的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
