Allowing non malicious code into your database

I have a project where i Need to allow people to enter code that will be stored in the database. I know your normally need to sanitize a form/text input before processing it but I would like the user to be able to enter code from any language without having it harm my system. What can I do to give the users this luxury without compromising my system? The site is LAMP and uses javascript as well.

 

Do you want the code to ever execute?

 

Nope, I would just like for it to be displayed to other users

 

Store the code as plaintext, just make sure you escape special chars properly.

 

This. You should look into using htmlentities.

 

Thanks for the info, never really heard of htmlentities. I just took a look into it and have a couple questions. If i store the data as htmlentities, do I still have to escape special chars? And should I convert the data to an htmlentity before inserting into a database or only when it is displayed to the user? Are there any other security precautions I should take when allowing users to submit their code (can range from JS, html, C++, SQL...)?

 

Don't store the data as htmlentities; only call it when outputting the data. Making permanent changes to the code typically isn't a good idea, especially if you would at some point want to see raw output from the db. Remember to set the encoding on your page correctly (you should be using utf-8) as not doing so can make certain attacks possible. As for any other functions, you may want to use something like mysql(i)_real_escape to escape quotes when inserting and whatnot. I think that should be all you need to be able to accept code in your db...

 

Excellent, ill give that a go. Your response was very helpful!

 

You are welcome. ^^

 

Could you store the base64 version of the code?

 

You could, but it won't help much in preventing code from executing when outputting from the db.