1

I would like to save a css table, similar to the one below into a node of an xml file. The xml file will be stored in a mysql database. The table will be retrieved at a later time and displayed. The “ws-css-table-td” part of the table may contain words or letters the user inputs.

I am using php and mysql.

What measures should I take to make sure that no malicious code will be introduced?

Thanks.

<div class="ws-css-table" >
    <div class="ws-css-table-tr">
        <div class="ws-css-table-td"></div>
    </div>
</div>
Improve this question
3
  • What are you worried about? SQL injection? XSS? Commented Nov 30, 2015 at 15:41
  • 2
    Stopping malicious code from getting into your query? Use parameterised queries or a sanitisation function. Stopping malicious code from getting into your final HTML? Use something like html_entities() on user input when you display it. Commented Nov 30, 2015 at 15:42
  • I am trying to write safe code. I am worried about SQL injection and XSS and probably other things that I am not aware of. What sanitation function is recommended? Commented Nov 30, 2015 at 15:51

1 Answer 1

Reset to default
2

Quite some misunderstandings here.

For tables use HTML tables. Some people on the web will discourage the use of tables. This comes from times where people abused them for page layout. There's no reason for not using tables for tables! If you really want to display a table in the classic sense, use the tags table, tr and td.

CSS is for styling first, it can be used for layout too. But it definately is not for defining tables of data.

Back to the actual question.

  1. Do not save XML in MySQL. XML is a data storage format. Storing your raw data in the database is way cleaner, more flexible, extendible, more maintainable... you get the idea. Do you really need XML anyways? If so, use a marshalling library instead to transform between PHP, XML and Database. For XML there's DTD and XSD, two standard formats of defining how a valid XML document has to look like. Either will enable you to do quick validation and transformation.

  2. Check all user inputs for right format, type, special characters, encoding and against your business logic. Define first what the user is expected to insert. You can validate the inputs on the client side for instant response, but you still have to validate them on the server before using or saving them. Client-side validation does not replace server-side validation! This is unrelated to any further working with that inputs. The validation is a mandatory pre-requisite.

Stick to these basic rules and you should be halfway over the hill. For further potential pitfalls we'd need to know your exact use case.

Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

Thanks for this information. I will learn more about the marshalling library to transform from SQL to XML and back. In addition I will check the user inputs using some function and validate it using another function.
Are you sure you need XML anyways? XML is usually used for saving complex data to a file or for transmitting data over the net.
I tried to simplify my example for the post just to find out the safe way to store data. The reason for the CSS tables is b/c they need to be formated a specific way and change dynamically. The table is just part of a more complex page that contains other data (titles, instructions, color formats, etc). Perhaps a more structured database would be better but I want to keep the page info together. The concept of 1 xml entry per page is easier for me to understand at this point.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.