What type should I use for html text in my database?

advertisements

I have a text area plugged in with tinyMCE which will contain HTML code that I wish to save into the database.

I want to save that html code right as it is, to be able to print it anytime, and even to be able to write it down to a file (using fopen("filename","w"); )

Since i'm setting up the table I will be using, i do not know which type of record should I assign to this html text in my database.

Should I..:

  • use addslashes/stripslashes when I save/stamp the html text?
  • or htmlencodechars/decodechars?
  • or none at all?

Use HTMLPurifier to strip any malicious XSS code from the HTML. TinyMCE tries to do this but it can be bypassed by posting directly to your script.

When storing the data, use a parameterised query/prepared statement instead of escaping, to prevent SQL Injection. PDO or MySQLi can do that. This is a good PDO tutorial, especially if you're coming from the native mysql_* library.

As for the datatype, any string type is fine, it depends on how long your content could be.