i'm wondering if there are any issues i should be
aware of when storing "active" hyperlink data in my
db.

right now, i'm storing text like "http://domain.com"
in the db. when i display the data, it displays as
text and the usuer has to copy and paste it to the
address bar and press enter to view the link.

i'd like to enter

"<a href="http://domain.com"> domain</a>"

into the db so that the user will just have to click
the link to view the hyperlinked page.

somehow i think this is might be a security risk, but
i can't recall for sure.

tia...

__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com

---------------------------(end of broadcast)---------------------------
TIP 3: Have you checked our extensive FAQ?

http://www.postgresql.org/docs/faq

Andrej Ricnik-Bay schreef:
> On 9/1/06, operationsengineer1@yahoo.com
>> "<a href="http://domain.com"> domain</a>"
>>
>> into the db so that the user will just have to click
>> the link to view the hyperlinked page.
>>
>> somehow i think this is might be a security risk, but
>> i can't recall for sure.
> Not from a database perspective; to postgres it's still just
> text data. Whether or not the users are able to modify the
> tags so it looks like "<a href="http://www.moresex.com"> domain</a>"
> is not a database issue :}
Agreed, this is not an issue you handle in your database. It can only
store text. The behaviour that a link can be clicked should be
implemented in your user interface, more specificaly the component you
use to display your data should implement this.
Guessing that you are building a web application: how is getting the
hyperlink from the db and displaying it as a link more of a security
risk than hardcoding the link, or even having users to copy paste a
link? It can still be a link to a malisious site.
What you could prevent is "spoofing" (somebody entering a different href
value than the displayed text) by placing the tags around the link in
your own code. Either when displaying, or when writing to the database,
but make sure you have control over this yourself.

Regards,

Stijn.

operationsengineer1@yahoo.com schrieb:
> i'm wondering if there are any issues i should be
> aware of when storing "active" hyperlink data in my
> db.

You are mixing something up.
A hyperlink or any form of URL is just a string. It's as such not magic
or active as long it gets interpreted as an URL and tossed to a suitable
browser.

You find a "hyperlink" datatype in MS-Access. Thats still just a simple
varchar where Access has the additional information that it should throw
it to the program that is registered as your web-browser in your
operating system.
Access doesn't even check wether the inserted text conforms with the
rules for hyperlinks. You could store poems in such hyperlink columns
and still IE won't hop anywhere if you click on the nicely blue
underlined text.

Anyway ... this data type might be useful in Access does provide an data
manipulation interface in sense of forms or "tables" which are in
essence forms, too.

PostgreSQL is a storage engine that can keep your hyperlink-strings
ready but it doesn't have an interpreting interface.
So PostgreSQL shows no data where you could click on and it has no idea
about the client's environment like his favourite browser.

So store URLs in varchars and let the client software interpret the data
as "active" hyperlink.


> right now, i'm storing text like "http://domain.com"
> in the db. when i display the data, it displays as
> text and the usuer has to copy and paste it to the
> address bar and press enter to view the link.

Where and how is the data displayd?
If you type an SQL query into psql you shouldn't wonder that the
textmode output is not clickable.

If you have a more comfortable program to view the data, you might be
able to tell it this column holds URLs.
There's a good chance you even don't need the "http://" in front of the
domain.
You might run into trouble with some brain dead web servers that won't
accept "domain.com" but require "www.domain.com".
And there are URLs that won't work with the "www." like "dict.leo.org".


> i'd like to enter
> "<a href="http://domain.com"> domain</a>"

If your client interface is a web-application where some script language
like PHP pulls data out of the DBMS and processes it dynamically to HTML
then and just then will those HTML-link-tags be of any use.

In this case you store the domain "www.domain.com" probaply with
additional info like the description and an alt-text in varchars.
On runtime you let a script assemble the complete link-tag and integrate
it in the HTML output.

e.g.
"dict.leo.org" + "online dictionary" + "click here for wisdom" + scripting
----->
<a href="http://dict.leo.org" alt="click here for wisdom"
target="_blank">online dictionary</a>


> somehow i think this is might be a security risk, but
> i can't recall for sure.

The DBMS couldn't care less if the stored data is just a domain or a
complete HTML tag.


---------------------------(end of broadcast)---------------------------
TIP 9: In versions below 8.0, the planner will ignore your desire to
choose an index scan if your joining column's datatypes do not
match