Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
A user will input text in a textarea. It is then inserted directly into a mySQL database. I use trim, htmlentities, mysql_real_escape_string on it and I have magic quotes enabled. How should I sanitize it when outputting that data back into a textarea?
Thanks for your help. I’ve never been too sure on the correct way of doing this…
You shouldn’t use
htmlentitieswhen saving it. You should usehtmlentitieswhen displaying it. The rule of thumb is not to encode/sanitize the data until you need to. If you dohtmlentitieson it when you save then you have to dohtml_entity_decodeon the text when the user wants to edit the input. So you sanitize for what you need and nothing more. When saving it, you need to sanitize for SQL injection, so youmysql_real_escape_stringit. When displaying, you need to sanitize for XSS, so youhtmlentitiesit.Also, I am not sure if you saw Darryl Hein’s comment, but you really do not want magic_quotes enabled. They are a bad, bad, thing and have been deprecated as of PHP 5.3 and will be gone altogether in PHP 6.