0

I am wondering if it is considered bad practice to store HTML content in a database or if it is unsafe.

I am looking to implement several forms into my system that will have different fields and can change regularly. I am wondering if it would be bad practice to create each form's unique layout and store them in my database. The users won't be able to modify the forms, submit HTML to the forms, or create their own form without hacking our database. I would then take the data that the user submits and validate it for special characters before submitting the data to a database table created for each form. My plan is to loop through the request parameters pulling out the key value pairs and either send the validated list to a stored procedure or a prepared statement. The field names would have the same name, or similar name, as the column name in the database. To ensure I have the correct order, I would store the information in a MAP so that I don't need to hope the information doesn't move around somehow.

The HTML page will be stored in a clob in the database along with the SQL needed to submit the data from the client. I might just store the table name that the data needs to be submitted to and build the statement around it.

Example:

String tableName = "Form1"; //pulled from the database
String sqlLayout = "INSERT INTO ? ("+/*dynamically generated ? based on MAP keys*/+ ") VALUES ("+ /*dynamically generated ? based on MAP values*/ +")";
//Then proceed to fill in ? in the standard prepared statement way.

To load the clob into the client page, I will use jQuery's .load() on a div in the JSP.

I work with a JavaEE application that releases only once a year.

Pshemo
  • 122,468
  • 25
  • 185
  • 269
Derek Billings
  • 11
  • That aside, each form will need processing. Every change made in the database would need reprogramming on the JavaEE application. Alternatively, you could use a JSON file. Its much lighter weight given you aren't expecting to change it a whole bunch. – glend Jun 25 '15 at 15:00
  • @doveyg The Forms that will be stored in the database will be different enough that the layout won't remain the same from form to form. Once the file is uploaded to the database, it shouldn't change very often. A change to the database, as long as the required fields are still present, wouldn't prompt a change to the form. I'm trying to make each form in a way that is similar to an Entity Bean in that the names are mapped to columns in the database – Derek Billings Jun 25 '15 at 15:20
  • "The file"? None the less, I would consider it bad practice to have many unused fields. – glend Jun 26 '15 at 07:36

1 Answers1

0

The main concern is maintenance. If you change a database column, you'll have to edit the contents of the database record that is storing your form and your respective SQL code.

Hacking is not the issue. It does not matter how you'll render the form into the page. In the end it's HTML code anyway.

I would store it as a text file, an html snippet or a JSON file as mentioned by doveyg.

aldux
  • 2,774
  • 2
  • 25
  • 36
  • Because the expected form names are representative of the database columns and the SQL is generated dynamically, would the SQL code really change? I could see maintenance being an issue, but if the forms change too much, wouldn't the form simply become a new form? Alternatively, if each form changes very little, wouldn't there simply be missing information that could be either edited later or handled by the system when presenting the contents to the user? – Derek Billings Jun 25 '15 at 15:37
  • So new fields will be added, if required, automatically? Presuming the database is a relational one, how would you determine which table the column needs to go into? Maybe i'm not fully understanding the requirement by the client, is it required that the client is able to change the form on-the-fly? – glend Jun 26 '15 at 07:38