Hi,

I am trying to embed audio/video content such as youtube links and playlists from imeem.com into my website for each user of their choice.

What are the measures to be taken to display $user_choice_video variable which is retrieved from database!? I am afraid there might be attacks if i dont take proper measures before displaying it and storing it in database. As htmlentities() will not let the video to display, what should i do to avoid any other code rather than audio/video content on the input?? Also what are the measures to be taken while storing the data into the database.

Any help, guidance is appreciated.

Thank you.

Well actually I would use htmlentities() to prevent any html from going into the database and at the same time use mysql_real_escape_string(). To help explain below is an example code for a youtube clip:

<object width="560" height="340"><param name="movie" value="http://www.youtube.com/v/vWF4x01MkzE&hl=en&fs=1"></param><param name="allowFullScreen" value="true"></param><param name="allowscriptaccess" value="always"></param><embed src="http://www.youtube.com/v/vWF4x01MkzE&hl=en&fs=1" type="application/x-shockwave-flash" allowscriptaccess="always" allowfullscreen="true" width="560" height="340"></embed></object>

However the only piece of that you ever need to record into the mysql database is v/vWF4x01MkzE&hl=en&fs=1 Then you can validate and place that string into the 2 spots where it is needed within the common code. That is all of the code except that little url seems to stay the same with all the youtube scripts. That's how I would do it.

Comments
Thank you this is very useful information. I will work on this.

Well actually I would use htmlentities() to prevent any html from going into the database and at the same time use mysql_real_escape_string(). To help explain below is an example code for a youtube clip:

<object width="560" height="340"><param name="movie" value="http://www.youtube.com/v/vWF4x01MkzE&hl=en&fs=1"></param><param name="allowFullScreen" value="true"></param><param name="allowscriptaccess" value="always"></param><embed src="http://www.youtube.com/v/vWF4x01MkzE&hl=en&fs=1" type="application/x-shockwave-flash" allowscriptaccess="always" allowfullscreen="true" width="560" height="340"></embed></object>

However the only piece of that you ever need to record into the mysql database is v/vWF4x01MkzE&hl=en&fs=1 Then you can validate and place that string into the 2 spots where it is needed within the common code. That is all of the code except that little url seems to stay the same with all the youtube scripts. That's how I would do it.

Thank you this is very useful information. I will work on this.
But if i would like to leave choice to users to input their fav songs from any source then what would be the best approach?
Thanks in advance.

Well actually I would use htmlentities() to prevent any html from going into the database and at the same time use mysql_real_escape_string(). To help explain below is an example code for a youtube clip:

<object width="560" height="340"><param name="movie" value="http://www.youtube.com/v/vWF4x01MkzE&hl=en&fs=1"></param><param name="allowFullScreen" value="true"></param><param name="allowscriptaccess" value="always"></param><embed src="http://www.youtube.com/v/vWF4x01MkzE&hl=en&fs=1" type="application/x-shockwave-flash" allowscriptaccess="always" allowfullscreen="true" width="560" height="340"></embed></object>

However the only piece of that you ever need to record into the mysql database is v/vWF4x01MkzE&hl=en&fs=1 Then you can validate and place that string into the 2 spots where it is needed within the common code. That is all of the code except that little url seems to stay the same with all the youtube scripts. That's how I would do it.

Hello sir,


The above code working fine ....

after clicking on the video, it is going to youtube website....but, i want to play my website itself...plz give me some suggestions regarding this...
thanks

Saritha..

Well there are two options. You could try changing the previously mentioned youtube code which I think is called something like the "youtube video api" or you could host each video on your own site using a flv player like I have recently began to do. The best free flv player I have found a great flv player at http://flv-player.net/players/maxi/documentation/ Enjoy.

Well there are two options. You could try changing the previously mentioned youtube code which I think is called something like the "youtube video api" or you could host each video on your own site using a flv player like I have recently began to do. The best free flv player I have found a great flv player at http://flv-player.net/players/maxi/documentation/ Enjoy.

Thank U Cwarn..... my client is not going to host all videos on his servre...so, no prob...

Thanks once again...

This article has been dead for over six months. Start a new discussion instead.