Menu
I am using htmlspecialchars() function to prevent XSS attacks. I have doubt regarding what is the better method to store the data in database from following.
Method 1 : Store the user input values after applying htmlspecialchars() function. Using this it user input "<script>" will become "<script>" .
Method 2 : Store the user input as it is and apply htmlspecialchars() method while retrieving the data and displaying it on the page.
The reason for my doubt is that I believe using method 1 there will be overhead on database, while using method 2 data need to be converted again and again when requested through php. So I am not sure which one is better.
For more information, I am using htmlspecialchars($val, ENT_QUOTES, "UTF-8") so that will convert ' and " as well.
Please help me clear my doubt. Also provide explanation if possible.
Thanks.
633
User input is a string. Escaping is done when you want to insert some characters into some HTML / SQL / Whatever code which insists on interpreting some characters into special functionalities.
addslashes function enables us to escape data before storage into the database. $str = "O'Reilly?"; eval("echo '" . addslashes($str) .
HTML escaping the data when and only when necessary gives you the confidence to know what you're doing. This:
echo htmlspecialchars($data);
is a lot better than:
echo $data; // The data should already come escaped from the database.
// I hope.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
