What is the industry standard inserting user input that may contain apostrophes into a database? Such an input will be displayed back to users on a webpage. For example, a user updates some field to “I’m cool“. I insert it into my database with this function:
public function updateDatabase($value) {
$value = mysql_real_escape_string($value);
Database::instance()->query(
'UPDATE myTable
SET myColumn = ' . $value . '
WHERE foo = "bar"'
);
}
The database will now store “I\’m cool“. To display this value properly and safely back to any user, I would have to clean it with this function:
public function toSafeDisplay($userGeneratedValue) {
return stripslashes(
htmlentities(
$userGeneratedValue
)
);
}
My concern is that doing stripslashes and htmlentities on everything I want to display on a webpage will be very processor intensive. The general concensus on StackOverflow is to not do htmlentities before inserting into the database, so that the data is as raw as possible. This would allow it to be later displayed in any medium, not just websites. So we’re forced to do htmlentities at display time. Is this also true with stripslashes? Or is it possible to remove all the slashes before the apostrophes before updating the database without introducing SQL injection attacks?.
The database should not store it as
I\'m cool, but rather asI'm cool. The escape is to allow the apostrophe to be included as part of the data updated inmyColumn. I have seen cases where a site displaysI\'m coolback to the user, but that is probably a case of double-escaping.Edit:
mysql_real_escape_stringdoes not store slashes in the database. It escapes the value in the SQL statement. The only way you would get extra slashes in the database is if you did something equivalent tomysql_real_escape_string(mysql_real_escape_string($value)).