Editing Data using a HTML Form from a MySQL Database

[berridgeab]

Hello

 

Im quite confused at what filtering I should use on my data when pulling it from a MySQL database.  I don't sanitize my data on input because I am using prepared statements with PHP's PDO Driver which means I don't need to use mysql_real_escape_string() at all.

 

When I pull the data to be displayed i.e. in a HTML Table I use the below function to make it safe for HTML output.

 

public static function htmlSafe($data)
{	return nl2br(htmlentities($data, ENT_QUOTES));	}

 

However the rules change when Im using a HTML Form to edit the data, and I am unsure what I need to strip out. I.e. What would I need to do to make all data safe to insert into the following form input.

 

<input id = "someInput" type = "text" value = "<?php echo $someVarThatNeedsFiltering ?>" />

 

Also, one more question, in my html attributes (Valid ones like class, name, id, style, _target) I use a mixture of double quotes(") and single quotes ('), for quoting my values. Which one should I use or which one is more valid, doubles, or singles?

[berridgeab]

No worries, it appears the browser converts the entities back to there valid characters at some point.