Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
I have a user input field which will be stored into a ‘tinytext’ field in a MySQL database; pretty standard stuff. I am wondering if there is some sort of standard or best-practice to adhere to when it comes to escaping html special characters using the php function htmlentities()?
Should I use htmlentities() before I store the data in the database or should I run the function on the data ever time it is output from the website?
There is usually no reason to use
htmlentities()at all any more. Just store everything in UTF-8 fields and adhere to UTF-8 all the way through.When outputting unsafe user input as HTML, use
htmlspecialchars(), ideally at the time of output so you have a copy of the original data.