php 内容数据库 - 可以存储 HTML 吗?
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/14605935/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Database for Content - OK to store HTML?
提问by Ethosik
Basic question is - is it safe to store HTML in a database if I restrict who can submit to it?
基本问题是 - 如果我限制谁可以提交给它,将 HTML 存储在数据库中是否安全?
I have a pretty simple question. I provide video tutorials and other content. Without spending months writing a proper BBCode parser, I would need to store the HTML so I can have it look exactly the way I want when I grab it from the database.
我有一个很简单的问题。我提供视频教程和其他内容。无需花费数月时间编写合适的 BBCode 解析器,我就需要存储 HTML,这样当我从数据库中获取它时,我可以让它看起来完全符合我的要求。
Basically I plan to store all information in the database about a tutorial series and each episode. I would like to have some formatting for the descriptions for both so I can add multiple paragraphs, ordered and unordered lists, links to required resources, and so on.
基本上,我计划将有关教程系列和每集的所有信息存储在数据库中。我想为两者的描述设置一些格式,以便我可以添加多个段落、有序和无序列表、所需资源的链接等。
I am using PHP and creating my own database. I am using phpMyAdmin to store the information in the table right now. I will use a user with read only rights when I pull the information in the PHP code.
我正在使用 PHP 并创建我自己的数据库。我现在正在使用 phpMyAdmin 将信息存储在表中。当我在 PHP 代码中提取信息时,我将使用具有只读权限的用户。
What is the best way to do this? Thank you!
做这个的最好方式是什么?谢谢!
回答by powerbuoy
Like others have pointed out there's nothing dangerous about storingHTML in the DB. But when you display it you need to know the HTML is safe. Seeing as you're the only one editing the HTML I see no problem.
就像其他人指出的那样,在数据库中存储HTML没有什么危险。但是当您显示它时,您需要知道 HTML 是安全的。看到您是唯一一个编辑 HTML 的人,我认为没有问题。
However, I wouldn't store HTML at all. If all you need are headings, paragraphs, lists, links, images etc I'd say Markdown is a perfect fit. The benefit with Markdown is that it looks just like normal text (ie you could send your articles as e-mails or save them as txt-documents), it takes up a lotless space than HTML andyou don't have to change it once HTML gets updated.
但是,我根本不会存储 HTML。如果您只需要标题、段落、列表、链接、图像等,我会说 Markdown 非常适合。与降价的好处是,它看起来就像普通的文本(例如,你可以把你的文章作为电子邮件发送或保存为TXT的文件),它占用了大量的比HTML更小的空间和你不必去改变它一旦 HTML 更新。
回答by Zed
From the security point of view it is not less secure to store your HTML in a database than storing it anywhere else - if you are the only author of that HTML. But then again if other people can author HTML in your website then it doesn't matter where you store it - only how you sanitize it and how and where you display it.
从安全的角度来看,将您的 HTML 存储在数据库中并不比将其存储在其他任何地方更安全 - 如果您是该 HTML 的唯一作者。但话又说回来,如果其他人可以在您的网站上创作 HTML,那么您将其存储在何处并不重要 - 只需要您如何对其进行消毒以及如何以及在哪里显示它。
Now whether or not it is an efficient way to store HTML is a completely different matter. If I were you I would use some decent templating system and store HTML in files.
现在它是否是一种有效的方式来存储 HTML 是一个完全不同的问题。如果我是你,我会使用一些不错的模板系统并将 HTML 存储在文件中。
回答by Josef Kufner
Storing HTML code is fine. But if it is not from trusted source, you need to check it and allow a secure subset of markup only. HTML Tidy library will help you with that.
存储 HTML 代码很好。但是,如果它不是来自受信任的来源,则需要检查它并仅允许标记的安全子集。HTML Tidy 库将帮助您解决这个问题。
Also, you need to count with a future change in website design, so do not use too much markup, only basic tags. To make it look like you want, use global CSS rules and semantically named classes in the markup.
此外,您需要考虑网站设计的未来变化,所以不要使用太多标记,只使用基本标签。为了让它看起来像你想要的,在标记中使用全局 CSS 规则和语义命名的类。
But even better is to use Markdown or another wiki-like syntax. There are nice JS editors for Markdown with real-time preview (like the one here at Stackowerflow), and you can avoid HTML altogether.
但更好的是使用 Markdown 或其他类似 wiki 的语法。Markdown 有一些不错的 JS 编辑器,可以实时预览(就像 Stackowerflow 上的那个),你可以完全避免使用 HTML。
回答by user956584
I made a really big mistake by storing text data in Mongodb gridFS + compressionand using mongodump for daily backup. GridFS is 1GB of textfiles but after backup memory usage rises sometimes 1GB daily after one month 20GB in memory due to how this backup is made.
通过将文本数据存储在 Mongodb gridFS +压缩中并使用 mongodump 进行日常备份,我犯了一个非常大的错误。GridFS 是 1GB 的文本文件,但在备份内存使用量有时会在一个月后每天增加 1GB,内存中由于备份的方式而增加了 20GB。
In mongodb you should do a snapshot of the data folder - rather than do mongodump. The possible reason is that it copies unused data from disk into memory then makes bson dump. So in my case text that was never used for a long time should never be loaded into memory. I think this is how backup works as even right now my Mongodb is using 200MB of ram after run mongodump its can rise to 3GB
在 mongodb 中,你应该做数据文件夹的快照 - 而不是做 mongodump。可能的原因是它将未使用的数据从磁盘复制到内存中,然后进行 bson 转储。所以在我的例子中,长时间从未使用过的文本不应该被加载到内存中。我认为这就是备份的工作方式,因为即使现在我的 Mongodb 在运行 mongodump 后使用 200MB 的内存,它可以上升到 3GB
So i think the best solution is to use a filesystem for storing HTML files as your even RAID like PERC H700 has many amazing caching features including read ahead. But it has some limitations like network access and with my experiences some data was corrupted in time and needed to run chkdsk for repair as many GB of data was add or removed daily. Also you should consider to use proper raid features like Write troughthat prevent data loss when power failure.
因此,我认为最好的解决方案是使用文件系统来存储 HTML 文件,因为您甚至像 PERC H700 这样的 RAID 也具有许多惊人的缓存功能,包括预读。但它有一些限制,比如网络访问,根据我的经验,一些数据被及时损坏,需要运行 chkdsk 进行修复,因为每天添加或删除大量 GB 数据。此外,您应该考虑使用适当的 RAID 功能,例如写入槽,以防止断电时数据丢失。
Sqlite is not designed to be used with extremely big data so you shouldn't not use it and has missing many caching features.
Sqlite 并非设计用于处理超大数据,因此您不应不使用它,并且它缺少许多缓存功能。
Not perfect solution is to use MariaDB or its own caching script in nodejs that can use memcached/Linux ramdisk with maybe 1GB of hot cache. Using an internal nodejs caching mechanism after some time can produce many memory leak. So i can use it for network connection and I/O are using filesystem lock and many "HOT" most used files can be programmed to cached in RAM or just leave as is
不完美的解决方案是在 nodejs 中使用 MariaDB 或它自己的缓存脚本,它可以使用 memcached/Linux ramdisk 和 1GB 的热缓存。一段时间后使用内部 nodejs 缓存机制会产生许多内存泄漏。所以我可以将它用于网络连接,I/O 使用文件系统锁,许多“HOT”最常用的文件可以编程为缓存在 RAM 中或保持原样
回答by Patrick Knott
My initial answer to "should I store html in a db" is generally thbb... Sure it's safe if you know what you're storing, but are you really considering best practices when you ask only that question? The true answer is "It depends".
我对“我是否应该将 html 存储在 db 中”的最初回答通常是 thbb ......当然,如果您知道要存储的内容是安全的,但是当您只问这个问题时,您真的在考虑最佳实践吗?真正的答案是“视情况而定”。
I'm sure there are things like Wordpress that store html in a database, however, as a professional website designer, I like to remember the Separation of Concerns principle. How reusable is storing html in your database for a mobile app? Is your back end now in charge of display as well as data? Do you have many implementation possibilities for a front end or are you now stuck with whatever the back end portrays, what if you want it a different color and you've stacked ul within ul within ul? How easy is the css styling now? How easy is it to change or update that html?
我确信有像 Wordpress 这样的东西将 html 存储在数据库中,但是,作为专业的网站设计师,我喜欢记住关注点分离原则。在移动应用程序的数据库中存储 html 的可重用性如何?您的后端现在负责显示和数据吗?您是否有很多前端实现的可能性,或者您现在是否坚持使用后端所描绘的任何内容,如果您想要不同的颜色并且您在 ul 中堆叠 ul 怎么办?css样式现在有多容易?更改或更新该 html 有多容易?
I could be wrong, but even Sitecore and Kentico may store an html template in a database somewhere, but the data associated with that html template is a model, not directly on the html template.
我可能是错的,但即使是 Sitecore 和 Kentico 也可能将 html 模板存储在数据库中的某处,但与该 html 模板关联的数据是一个模型,而不是直接在 html 模板上。
So, when you are considering this question, you may want to store your models one place and your templates another, that way when you say "hey, lets build a mobile app" you can grab your data and go, rather than creating yet another table to store the same data.
因此,当您考虑这个问题时,您可能希望将模型存储在一个位置,将模板存储在另一个位置,这样当您说“嘿,让我们构建一个移动应用程序”时,您就可以获取数据并继续运行,而不是创建另一个表存储相同的数据。
