Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
Possible Duplicate:
Best way to prevent SQL Injection in PHP
On my site I have some HTML contents that a user sometimes must save in database. What is the safe way to do this (I don’t want my database to be in danger, or users who will see that code later, called from database).
So what I have read is:
Use htmlentities to save data in database, and html_entity_decode to decode data from database. Is this safe enough, or should I use something else?
Provided you’re using string escaping and/or prepared statements, HTML markup can’t cause any damage to your database. The danger with HTML markup comes when you display it to the user, as if someone has injected unsavory HTML into the markup you’re going to display then you’ve got an XSS attack on your hands.
If you’re not escaping or using prepared statements, then pretty much any data that comes from outside can be dangerous.