I am using PDO to users input, but right now I’m not using PDO when displaying content from my MySQL database (still the old fashioned way with SQL commands..).
Is it necessary to filter/sanitiza inputs from users when inserting data to a MySQL database?
AND, if the way to go is to sanitize the output instead, then what is the best way to sanitize output? Am I good to go, if I just use htmlspecialchars() or do i need to use strip_tags() and other things also?
I am using placeholders and prepared statements.
Thank you.
You’re confusing different sanitizing here :
The SQL sanatizing for data to insert to your DB. With prepared query with params, no need to escape, PDO do it internally. If you don’t use prepared queries, use them. It’s bullet-proof (as far as I know).
The data you get from your DB and output as HTML : here you have to sanatize before printing it to your user (to prevent XSS), either by using
htmlspecialchars(),htmlentites()orstrip_tags(), depending what you want to escape or delete.