In the spirit of GNU, openness, and Free S/W, I want to bring up another issue that I don't know how it works:
This is written in PHP--you can put PHP code in it (just type <?PHP...), why doesn't the (malicious) PHP code execute causing havoc all over the system? Is it because it uses an RDBMS?
In PHP the editor-supplied data is a post variable such as $_POST["html_edit_data_string"] (are the quotes necessary?). That string is stored as an HTML page somewhere, and then that page is loaded by a user/client.
When it is loaded, any php that is in the page gets executed by the server on its way to the browser. To prevent that, the string has to go through regular expression filters to take out malisous code that would execute on the server (PHP has all the system calls (such as "rm" any files created by the Apache user--which your ID when you get executed). Likewise, javascript could be executed by the browser, though I only think it can only set/earse cookies.. but it could be AJAX code that...
This is interesting to me for a whole other reason-this is where the image data (string w/in a string) can be located, altered into a normal image (ie jpg) and stored, and the img reference to it can can be subsituted into the string to string to create a normal web page, rather than one w/ image data in it (there is really no other way).
I wrote my very last paper using the original "composer" that came with ncsa moasic (first graphic browswer), later netscape, etc, to Sea Monkey. I am wondering if that is not the place to develop given all potential the security issues. Sea Monkey composer has problems, but all are with optional features that can be found in the browser itself, such as text searching and spell checking. The major advantage is that I could paste from the clipboard, such as illustrations, or, even more useful, text directly from google books so that I could look at it while I wrote-in the material for the paper(s).
I will continue with the TinyMCE browser until it has a filesystem list for all the files and a search function, then give it a rest. I am beginning to feel that the web-connecting "app" route (such as on Android) makes more sense than the "intelligent" web page that started as CGI and became javascript.
"When it is loaded, any php that is in the page gets executed by the server on its way to the browser."
No, it doesn't.
There are various layers of defense against this: (notheing to do with using a relational database).
This is all pretty standard stuff when it comes to creating web applications. There is more at http://docs.moodle.org/dev/Security.
that doc says: "Use the XMLDB library. This takes care of most escaping issues for you."
Another doc says "XMLDB is Moodle's database abstraction layer"
Sounds pretty relational to me...
There are different types of escaping, to deal with different sorts of potential security vulerabilities.
XMLDB does the escaping necessary to prevent SQL-injection attacks. Until now in this thread, you have been talking about other sorts of vulnerabilites, not SQL-injection.