CMC Posted January 19, 2009 Share Posted January 19, 2009 Hello everyone, I'm working on a site that will have user input which will then be outputted back (as most sites do) and all data will be stored in a database. I'd just like to hear your thoughts on the following question: should I filter data on input or output, or both? Just like to clarify exactly what I mean by filtering (to me filtering is different than securing data). Filtering = converting input to various types (BBCode to HTML, newlines to HTML, htmlentities(), word matching etc.) Securing data = type checking (int when it is supposed to be int) and blanks, mysql_real_escape_string. I've always been filtering it on input, and storing it in the DB ready for immediate output. However, I have read a few posts around here about security and I've seen a few recommendations to filter on data output. Of course, SQL injection filtering would need to be done on input, but is there any advantage to doing the rest on data output (say converting BBCode, caps, etc.). The only advantage I can think of would be perhaps a smaller database size overall. Thoughts? Quote Link to comment Share on other sites More sharing options...
.josh Posted January 19, 2009 Share Posted January 19, 2009 imo you shouldn't have data stored in your db formatted, simply because that makes your design capabilities less flexible. For instance, if you store all your names as <b>somename</b> and later on you don't want to have them bolded, you're going to have to go through each entry and remove the tags. Quote Link to comment Share on other sites More sharing options...
btherl Posted January 19, 2009 Share Posted January 19, 2009 BBCode and similar things should always be done on output. That allows you to be flexible, in case you want to disable a tag and have that change be retrospective, for example. If you did those conversions on input then you'll have a big headache trying to find where the conversions took place. It's part of the general principle of storing data in a form that can be easily manipulated by your program, and only converting it to the user readable form when it needs to be read by a user. It also allows you to display those tags in different ways for different purposes, such as an RSS feed, or XML. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.