当前位置：文江博客话题详情

mysql - 存储嵌入代码（youtube、vimeo 等）

发布于 2024-08-13 02:44:51 字数 190 浏览 2 评论 0原文

如何最好地存储嵌入的 html？

我能想到的唯一方法是：

获取嵌入的 html 并添加 id 所在的位置然后将其存储在数据库中并使用 Eval 来执行它。

或者

插入一个奇怪的字符组合作为标记，在 php 中用 id 替换。

原文

分享到QQ

分享到微博

如果你对这篇内容有疑问，欢迎到本站社区发帖提问参与讨论，获取更多帮助，或者扫码二维码加入 Web 技术交流群。

发布评论

需要登录才能够评论，你可以免费注册一个本站的账号。

一片旧的回忆 2024-08-20 02:44:51

选项 #2 更安全 - 万一有人设法对您的数据库执行 SQL 注入攻击，他们就无法利用您的嵌入操作在服务器端执行注入的 PHP。他们最多希望的是网络钓鱼或 XSS 攻击。

另一种替代方法是以 XML 格式设置适当的数据，并将 XSLT 存储在数据库中，以将数据转换为正确的嵌入代码。对于您的情况来说，这可能有点过分了，但比上述任何一种方法都更具可扩展性并且更不容易出错。

编辑： XML 版本的骨架代码

XML

<video>
  <url>http://example.com/video.flv</url>
</video>

XSLT

<?xml version="1.0" encoding="ISO-8859-1"?>
<xsl:transform version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
  <xsl:output method="xml" />
  <xsl:template match="video">
    <xsl:element name="embed">
      <xsl:attribute name="src"><xsl:value-of select="url/text()" /></xsl:attribute>
      <xsl:attribute name="width">500</xsl:attribute>
    </xsl:element>
  </xsl:template>
</xsl:transform>

PHP

// assuming the XSLT above is stored in SomeTable.transform, and the above XML has been stored in $xml_text
$xml_doc = new DOMDocument();
$xml_doc->loadXML($xml_text);

$xsl_doc = new DOMDocument();
$xsl_doc->loadXML(GetXSLT("flv"));

$processor = new XSLTProcessor();
$processor->importStyleSheet($xsl_doc);
echo $processor->transformToXML($xml_doc);

function GetXSLT($type)
{
    $db = mysql_connect("user", "password", "host"); // not sure if I got the order right here, but whatever
    $res = mysql_query("SELECT transform FROM SomeTable WHERE type = '$type'"); // should use parameters instead of directly embedding the type here to avoid bugs and exploits, but whatever
    $array = mysql_fetch_assoc($res);
    return $array['transform'];
}

这样做的好处是，您可以创建一个类来生成输入 XML，并且它可以包含您想要传递给 <嵌入> 标签。如果您不向 XSLT 添加处理指令来处理它们，它们将被默默地忽略。创建一个类来生成基本 XML，并为要显示的每种媒体类型创建一个子类，并且生成 XML 来传递转换应该很容易。

Option #2 is much safer - just in case someone manages to execute a SQL injection attack against your DB, they can't then exploit your embedding operation to execute injected PHP on the server side. The best they could hope for would be a phishing or XSS attack.

Another alternative is to format the appropriate data in XML and store in the database an XSLT to transform the data into the right embed code. That's probably overkill for your case, but more scalable and less error-prone than either of the above.

EDIT: Skeleton code for XML version

XML

<video>
  <url>http://example.com/video.flv</url>
</video>

XSLT

<?xml version="1.0" encoding="ISO-8859-1"?>
<xsl:transform version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
  <xsl:output method="xml" />
  <xsl:template match="video">
    <xsl:element name="embed">
      <xsl:attribute name="src"><xsl:value-of select="url/text()" /></xsl:attribute>
      <xsl:attribute name="width">500</xsl:attribute>
    </xsl:element>
  </xsl:template>
</xsl:transform>

PHP

// assuming the XSLT above is stored in SomeTable.transform, and the above XML has been stored in $xml_text
$xml_doc = new DOMDocument();
$xml_doc->loadXML($xml_text);

$xsl_doc = new DOMDocument();
$xsl_doc->loadXML(GetXSLT("flv"));

$processor = new XSLTProcessor();
$processor->importStyleSheet($xsl_doc);
echo $processor->transformToXML($xml_doc);

function GetXSLT($type)
{
    $db = mysql_connect("user", "password", "host"); // not sure if I got the order right here, but whatever
    $res = mysql_query("SELECT transform FROM SomeTable WHERE type = '$type'"); // should use parameters instead of directly embedding the type here to avoid bugs and exploits, but whatever
    $array = mysql_fetch_assoc($res);
    return $array['transform'];
}

The nice part about this is that you can create a class to generate the input XML, and it can contain all the parameters you want to pass to your <embed> tag. If you don't add processing instructions to your XSLT to handle them, they'll be silently ignored. Make one class to generate the basic XML, and a subclass per media type you want to display, and generating the XML to pass the transforms should be easy.

回复收藏 0 原文