I am using <code>htmlspecialchars()</code> function to prevent XSS attacks. I have doubt regarding what is the better method to store the data in database from following. Method 1 : Store the user input values after applying <code>htmlspecialchars()</code> function. Using this it user input <code>"<script>"</code> will become "&lt;script&gt;" . Method 2 : Store the user input as it is and apply <code>htmlspecialchars()</code> method while retrieving the data and displaying it on the page. The reason for my doubt is that I believe using method 1 there will be overhead on database, while using method 2 data need to be converted again and again when requested through php. So I am not sure which one is better. For more information, I am using <code>htmlspecialchars($val, ENT_QUOTES, "UTF-8")</code> so that will convert ' and " as well. Please help me clear my doubt. Also provide explanation if possible. Thanks.

<ol> <li>Why do you expect that you will always use the data in an HTML context? "I <3 you" and "I &lt;3 you" is not the same data. Therefore, store the data as it's intended in the database. There's no reason to store it escaped.</li> <li> HTML escaping the data when and only when necessary gives you the confidence to know what you're doing. This: <pre class="prettyprint"><code>echo htmlspecialchars($data); </code></pre> is a lot better than: <pre class="prettyprint"><code>echo $data; // The data should already come escaped from the database. // I hope. </code></pre> </li> </ol>

is it better to escape/encode the user input before storing it to database or to store it as it is in database and escape it while retrieving?

I am using htmlspecialchars() function to prevent XSS attacks. I have doubt regarding what is the better method to store the data in database from following.

Method 1 : Store the user input values after applying htmlspecialchars() function. Using this it user input "<script>" will become "<script>" .

Method 2 : Store the user input as it is and apply htmlspecialchars() method while retrieving the data and displaying it on the page.

The reason for my doubt is that I believe using method 1 there will be overhead on database, while using method 2 data need to be converted again and again when requested through php. So I am not sure which one is better.

For more information, I am using htmlspecialchars($val, ENT_QUOTES, "UTF-8") so that will convert ' and " as well.

Please help me clear my doubt. Also provide explanation if possible.

Thanks.

What does it mean to escape user input?

User input is a string. Escaping is done when you want to insert some characters into some HTML / SQL / Whatever code which insists on interpreting some characters into special functionalities.

How do I escape data before storing it in the database in PHP?

addslashes function enables us to escape data before storage into the database. $str = "O'Reilly?"; eval("echo '" . addslashes($str) .

Why do you expect that you will always use the data in an HTML context? "I <3 you" and "I <3 you" is not the same data. Therefore, store the data as it's intended in the database. There's no reason to store it escaped.
HTML escaping the data when and only when necessary gives you the confidence to know what you're doing. This:
```
echo htmlspecialchars($data);
```
is a lot better than:
```
echo $data; // The data should already come escaped from the database.
            // I hope.
```

is it better to escape/encode the user input before storing it to database or to store it as it is in database and escape it while retrieving?

Tags:

php

mysql

xss

htmlspecialchars

Vivek Vaghela

People also ask

1 Answers

deceze

Recent Activity

Donate For Us

is it better to escape/encode the user input before storing it to database or to store it as it is in database and escape it while retrieving?

Tags:

php

mysql

xss

htmlspecialchars

Vivek Vaghela

People also ask

1 Answers

deceze

Related questions

Recent Activity

Donate For Us