Home/ Questions/Q 948335
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-15T23:13:43+00:00

Okay I was wondering when should I sanitize my code, when I add store

  • 0

Okay I was wondering when should I sanitize my code, when I add store it in the database or when I have it displayed on my web page or both?

I ask this question because I sanitize my code before it gets stored in the database but I never sanitize when its displayed for the user.

Here is an example of how I sanitize my code before its stored in the database.

$title = mysqli_real_escape_string($mysqli, $purifier->purify(strip_tags($_POST['title'])));
$content = mysqli_real_escape_string($mysqli, $purifier->purify($_POST['content']));
Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    There are distinct threats you are (probably) talking about here:

    • You need to sanitize data that’s being inserted into the database to avoid SQL injections.
    • You also need to be careful with the data that’s being displayed to the user, as it might contain malicious scripts (if it’s been submitted by other users). See Wikipedia’s entry for cross-site scripting (aka XSS)

    What’s harmful to your database is not necessarily harmful to the users (and vice versa). You have to take care of both threats accordingly.

    In your example:

    You probably want to use the purifier prior to data insertion – just ensure it’s “purified” by the time the user gets it.

    You might need to use striplashes() on data retrieved from the db to display it correctly to the user if magic_quotes are on

    • 0