webref.eu Posted August 13, 2008 Share Posted August 13, 2008 Hi All I'm writing a review script and I get the user's review from the form as follows: $ReviewDesc=$_POST['txtReviewDesc']; Now, when I insert this data into my database, I will be using mysql_real_escape_string as I understand this is best practice. 1) Is it also advisable to use: $ReviewDesc=htmlspecialchars($ReviewDesc); before doing the database insert? I understand this should prevent any attempt at rogue html or Javascript insertion. 2) Also, is it better to use htmlspecialchars($ReviewDesc); or htmlentities($ReviewDesc); and why? 3) Is there anything else I should be doing? Thanks All. Quote Link to comment Share on other sites More sharing options...
Psycho Posted August 13, 2008 Share Posted August 13, 2008 Here are my opinions: Is it also advisable to use: $ReviewDesc=htmlspecialchars($ReviewDesc); before doing the database insert? I understand this should prevent any attempt at rogue html or Javascript insertion. No I would NOT use htmlspecialchars on data before inserting it into the database. The reason why is that it is easier to keep data in it's original state until you know the context that you need to display it. For example, if you want to display the content as text on the page then you would use htmlspecialcharacters before you display it. But, if you need to insert the content into a textarea for editing purposes you would display it as is. If you had used htmlspecialcharacters then you would need to reverse that before displaying for editing purposes. The same goes for numbers. I would store numbers as integers or floats in the database and save the formatting of the number for just before I display it. 2) Also, is it better to use htmlspecialchars($ReviewDesc); or htmlentities($ReviewDesc); and why? htmlentities() is much more comprehensive than htmlspecialcharacters(), which only tanslates about a half dozen characters. I would probably stick with htmlentities unless a specific problem is found. But, it really depends on how and where you are using the content. Quote Link to comment Share on other sites More sharing options...
webref.eu Posted August 14, 2008 Author Share Posted August 14, 2008 Thanks for your reply. Are there any further views? Rgds Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.