This question already has answers here:
when to use htmlspecialchars() function?
(4 answers)
Closed 9 years ago.
I need to convert my strings to special characters using:
htmlspecialchars
My question is, should I convert my data before submitting it to a database or should I convert it before I display it?
You should sanitize data before inserting it into a database, and escape it on retrieval.
htmlspecialchars is used for escaping, so it should be after you’ve fetched it from the database.
It makes the data safe to insert into an HTML document. Use it before you insert it into an HTML document, not a database.
It's generally the better idea to not modify source data before storing it. It will tie your data to the specific context you're using it in. What if you ever need a different way of displaying it, e.g. in a PDF, or text format? Then you will have the html entities in your text and would need to convert them back.
IMHO Performance considerations are secondary in this regards, one can still make use of caching technologies for views for this.
So, on the bottom line I suggest you always prepare your strings before display.
I'm assuming the data is already escaped sanitised before you put it into the database so it is safe. From there, I try to change the data as little as possible on the way to the database.
The thing to remember is that maybe you're using the copy now on your website, but later down the line you may like to use it on a different device or on print. If you use htmlspecialchars before it goes to the database, you'll have to clean it up if you want to use it for something other than HTML. Formatting dates as strings before putting them into a database is a common one, but when you want to change the format...
Related
I have always been told to "sanitize" input to a database and one of the ways to do this (as well as using prepared statements) is using htmlspecialchars() and htmlentities().
This stores quotes as " so printing the output of the database to a page "naked" has never been a problem for XSS attacks etc.
However, I have been asked to have part of my application export certain values as pure data in .csv format and now it's full of said HTML entities.
It seems that I have two options:
Decode all values before exporting the data and leave everything else the way it is.
Exclude "sanitation" before input to the database and make sure to sanitize on the output instead (except for data exports).
As much information as there is out there, I can't find the generally accepted way to do this - is it best to do this process on the way in or way out of the database? Obviously, doing both gives me silly values like &
This question already has answers here:
HTML/XSS escape on input vs output
(2 answers)
Should htmlspecialchars() be used on information on input or just before output?
(2 answers)
Closed 7 years ago.
I want to get my website safe against XSS attacks.
I have one module which allows the user to insert a text (with special chars) into the database. This text is displayed on the start page.
Now my question: Should I use htmlentities($_POST["userinput"], ENT_QUOTES, 'UTF-8') before inserting the userinput into the database?
Or can I insert the userinput directly into the database and just display it with htmlentities?
Some people argue that you should sanitize against XSS on input and output. I think this is not really very valuable. For one, it only really matters that you do it on output, since that's where the vulnerability exists that you are trying to mitigate. Any solution that relies on treating the stuff coming from the database as trusted input is broken in my opinion.
The issue is that somewhere down the line, you (or the person who comes after you) may decide they need to insert the data differently - some external API - who knows. The point is, now your page has a security vulnerability in it, because you decided to trust data from the database.
The argument against doing it on the way in and the way out for me is two parts:
You aren't adding any additional security, so you are really only making people feel like it is twice as safe - this is not a feeling we ever want to create. We want to prove something is safe, not just make it feel double safe.
You also may write a bug that screws up the original data. If this happens when you are rendering it, it's not as big of a deal, because you can fix it and show it correctly. If it happens when you store it, then that data is irrecoverable.
I am working on a PHP/MySQL script that is inserting data into a database like this...
Caesar (courtesy post)
I know this is a basic question but how can I prevent the special characters from doing that?
It seems you're not just HTML-escaping your content once, but actually doing it twice. The first thing you should do is try to find out why your content ends up that way, instead of attempting to decode it to an unescaped format. You should always escape for the format you're going to use the data in, escape with the SQL escape functions when inserting, and escape with htmlspecialchars (or a similar function) when presenting the data in HTML (and take note of the character encoding used).
If the data comes in this format from another source, use html_entity_decode to normalize the text again. That does however seem weird.
I have a user input field which will be stored into a 'tinytext' field in a MySQL database; pretty standard stuff. I am wondering if there is some sort of standard or best-practice to adhere to when it comes to escaping html special characters using the php function htmlentities()?
Should I use htmlentities() before I store the data in the database or should I run the function on the data ever time it is output from the website?
There is usually no reason to use htmlentities() at all any more. Just store everything in UTF-8 fields and adhere to UTF-8 all the way through.
When outputting unsafe user input as HTML, use htmlspecialchars(), ideally at the time of output so you have a copy of the original data.
This question already has answers here:
Closed 11 years ago.
Possible Duplicate:
How should be kept as HTML tags in database?
I will store HTML code through admin page of my php program. I use prepared statements in PDO for storing. But before that, do i need to use htmlspecialchars() or htmlentities() ?
Or by storing html using prepared statement will work fine ? Any overheads later ?
Later this html is used to display as content inside a HTML page and this content from database should render as HTML itself.
you should use htmlspecialchars on output, not when storing.. pdo will handle the safety for storing the input
For real, in your case no precautions should be taken.
There is no need for htmlspecialchars() as you want to display html and no need to use htmlentities() if the character set of your site is equal to the one you use in your database. Also you don't have to escape the string on your own as prepared statements will take care of that.
However, htmlentities() will not cause any harm but using it is just waste of performance. The easiest way to deal with the character set is to simply use UTF-8 to avoid any conflicts.
just refer to the old posts Store HTML into MySQL database
How to store html in a mysql database
this will give you a good solution.