gchronis Posted August 21, 2010 Share Posted August 21, 2010 Hi, I have a MySQL database with BLOB data (MS Word files, Excel, PowerPoint, PDF etc.). I have a show_file function that assembles the blobs to send the file to the browser. It's been working great for a decade. Now, I am looking to filter the data against XSS vulnerabilities, much like I do with strings using htmlentities(). How do you go about doing that with BLOB data? I'm assuming htmlentities() will strip out characters from the BLOB data that will render the file unusable, correct? Here is my function: function show_file( $fileID ) { $nodeList = array(); $fileInfo = get_record( 'FileList', 'fileID', $fileID ) or trigger_error( 'Not a valid file ID: ' . $fileID ); // Pull list of inodes $nodes = get_recordset( 'FileData', 'fileID', $fileID, 'blobID' ); if ( !$nodes ) { trigger_error( 'Failure to retrieve file inodes: ' . mysql_error() ); } while ( $node = mysql_fetch_array( $nodes ) ) { $nodeList[] = $node['blobID']; } // Send down the header to the client if ( strpos( $_SERVER['HTTP_USER_AGENT'], 'MSIE' ) ) { header( 'Cache-Control: public' ); } header( 'Content-Type: ' . $fileInfo['fileType'] ); header( 'Content-Length: ' . $fileInfo['fileSize'] ); header( 'Content-Disposition: attachment; filename=' . $fileInfo['fileName'] ); // Loop thru and stream the nodes 1 by 1 for ( $z = 0; $z < count( $nodeList ); $z++ ) { $query = 'SELECT fileData FROM FileData WHERE blobID = ' . $nodeList[$z]; if ( $result = mysql_query( $query ) ) { echo mysql_result( $result, 0 ); } else { trigger_error( 'Failure to retrieve file node data: ' . mysql_error() ); } } } So, I am looking to do something like echo mysql_result( htmlentities($result), 0 ); Thanks for any help you may provide, George. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.