If you will be using the data elsewhere then use it when it is displayed on the screen, or your other program will have to parse it.
It is a good idea to always run htmlspecialchars when outputting text to the browser that came from a form. -- Stewart On Mon, 25 Feb 2002, Erik Price wrote: > I was wondering if anyone could give me some advice in deciding the most > appropriate time to use htmlspecialchars(): > > When user input is accepted and error-checked and ready to be inserted > into the database? Or when user input is pulled from the database and > ready to be displayed to the screen? > > It seems that running htmlspecialchars() BEFORE the data goes into the > database is the "safest" way to do it, so that potentially malicious > characters and tags never actually make it past the script. But upon > thinking about the implications of this, it strikes me that this will > affect the integrity of my data -- ideally, I want to keep the data as > "pristine" as possible while it is in the database, since it might end > up being parsed by something other than a browser someday, in which case > it would be best to leave the data as is. > > I'm leaning toward the second method, but I want to make sure that doing > so won't expose me to any risks that I haven't considered. Please give > me your thoughts on this. > > > Erik > > > > > > ---- > > Erik Price > Web Developer Temp > Media Lab, H.H. Brown > [EMAIL PROTECTED] > > > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php