I was wondering if anyone could give me some advice in deciding the most 
appropriate time to use htmlspecialchars():

When user input is accepted and error-checked and ready to be inserted 
into the database?  Or when user input is pulled from the database and 
ready to be displayed to the screen?

It seems that running htmlspecialchars() BEFORE the data goes into the 
database is the "safest" way to do it, so that potentially malicious 
characters and tags never actually make it past the script.  But upon 
thinking about the implications of this, it strikes me that this will 
affect the integrity of my data -- ideally, I want to keep the data as 
"pristine" as possible while it is in the database, since it might end 
up being parsed by something other than a browser someday, in which case 
it would be best to leave the data as is.

I'm leaning toward the second method, but I want to make sure that doing 
so won't expose me to any risks that I haven't considered.  Please give 
me your thoughts on this.



Erik Price
Web Developer Temp
Media Lab, H.H. Brown

PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to