stripslashes before or after htmlentities?

[LooieENG]

<?php

<form action="<?php echo $_SERVER['PHP_SELF'] ?>" method="post" name="edit">
	<p><input name="title" type="text" size="40" value="<?php echo stripslashes(htmlentities($row['title'], ENT_QUOTES)) ?>" /> <strong>User Title</strong> (30 characters max)</p>

?>

 

^^^ Retrieving from db

 

<?php

$location = html_entity_decode(mysql_real_escape_string($_POST['location']), ENT_QUOTES);

?>

 

^^^ Inserting into db

 

Is that right?

[Lodius2000]

// why are you stripping slashes? when you sanitize you add slashes and then when you redisplay, if you are sure the data is sanitary you strip them, but on to my real answer

 

I would say no, because you are using ent_quotes.

 

if you strip slashes first then all the closing tags in your string have become opening tags then you encode with htmlentities, the problem arises when you want to decode the entities with html_entity_decode(), now you have all opening tags, also entquotes encodes slashes

 

in this case i would say that htmlentities(addslashes($str)) would be appropriate. that way decoding entities still works and adding slashes neutralizes sql sensitive characters ( ie single and double quotes, since all slashes are now encoded into entities)

 

make sure you decode with

stripslashes(html_entity_decode($str))

 

long story short, entities first, then slashies, IMO

[LooieENG]

Say the signature of the users, if I don't strip the slashes and use htmlentities, text comes out in the textbox (for editing) as \\\"stuff\\\" so the html is like

 

<input name="stuff" type="text" value="\\\" stuff \\\" />

 

so I need it to be like

 

<input name="stuff" type="text" value=""stuff"" />

 

If you see what I mean. I just need to know which should come first. i.e.

 

stripslashes before htmlentities (or other way round) or mres before html_entity_decode (or other way round)

[BlueSkyIS]

stripslashes first, unless you want the added slashes to be there after you use htmlentities.

[LooieENG]

And when inserting into the database

 

mres(html_entity_decode()) or html_entity_decode(mres())

 

?

[Lodius2000]

for inserting into the db

 

mres(htmlentities($str))

 

then pull it out and redisplay (only if you are sure it it sanitary) with

 

stripslashes(html_entity_decode($str))

 

you want to store entities in the db in case there are any <script> tags in there that contain nasty little javascripts, you also want to use mres so that you dont have stray quotes and slashes laying around

 

then when you want to redisplay on you web page, you turn the quotes ans slashes back into quotes and slashes with stripslashes, then you redisplay the html with entity_decode (the data MUST be sanitary to do this) easiest way to do it i think would be to throw an error at input to the user when they try to use html

 

 

[LooieENG]

But even if they use <b >text</b >, I'll use htmlentities so it'll be <text> and display as < b>text< /b> instead of text won't it? Then I use html_entity_decode when I put it into the database to save space. And encode when I retrieve from the database.

[Lodius2000]

but if you encode when you retrieve it, your output on your web page would be < b>text< /b> when you would probably want it to be text, which is why you use bulletin board coding

 

before submission to the db run strip tags, then since you allowing things in angle brackets you run a str_replace with a massive array of things that you want to allow like [ b] (no space of course) would become < b> and so on so that when you pull it all out of the db, you have sanitized html that all you have to do is run a stripslashes on (because of mres)

[LooieENG]

I don't want it to be text as I'll be using BBCode for that. The htmlentities/decode is so people can have quote marks in their name and signature without it ruining MySQL queries or HTML output.

 

Sorry if I didn't explain it clearly enough