Jump to content

Filter data on input or output?

CMC

By CMC
in PHP Coding Help

 Share

Recommended Posts

CMC Member

CMC

Posted
Posted

Hello everyone,

 

I'm working on a site that will have user input which will then be outputted back (as most sites do) and all data will be stored in a database.

I'd just like to hear your thoughts on the following question: should I filter data on input or output, or both?

 

Just like to clarify exactly what I mean by filtering (to me filtering is different than securing data).

Filtering = converting input to various types (BBCode to HTML, newlines to HTML, htmlentities(), word matching etc.)

Securing data = type checking (int when it is supposed to be int) and blanks, mysql_real_escape_string.

 

I've always been filtering it on input, and storing it in the DB ready for immediate output. However, I have read a few posts around here about security and I've seen a few recommendations to filter on data output. Of course, SQL injection filtering would need to be done on input, but is there any advantage to doing the rest on data output (say converting BBCode, caps, etc.). The only advantage I can think of would be perhaps a smaller database size overall.

 

Thoughts?

Link to comment
https://forums.phpfreaks.com/topic/141395-filter-data-on-input-or-output/
Share on other sites
.josh Advanced Member

.josh

Posted
Posted

imo you shouldn't have data stored in your db formatted, simply because that makes your design capabilities less flexible.  For instance, if you store all your names as <b>somename</b> and later on you don't want to have them bolded, you're going to have to go through each entry and remove the tags. 

btherl Member

btherl

Posted
Posted

BBCode and similar things should always be done on output.  That allows you to be flexible, in case you want to disable a tag and have that change be retrospective, for example.  If you did those conversions on input then you'll have a big headache trying to find where the conversions took place.

 

It's part of the general principle of storing data in a form that can be easily manipulated by your program, and only converting it to the user readable form when it needs to be read by a user.  It also allows you to display those tags in different ways for different purposes, such as an RSS feed, or XML.

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.