berridgeab Posted January 28, 2011 Share Posted January 28, 2011 Hello Im quite confused at what filtering I should use on my data when pulling it from a MySQL database. I don't sanitize my data on input because I am using prepared statements with PHP's PDO Driver which means I don't need to use mysql_real_escape_string() at all. When I pull the data to be displayed i.e. in a HTML Table I use the below function to make it safe for HTML output. public static function htmlSafe($data) { return nl2br(htmlentities($data, ENT_QUOTES)); } However the rules change when Im using a HTML Form to edit the data, and I am unsure what I need to strip out. I.e. What would I need to do to make all data safe to insert into the following form input. <input id = "someInput" type = "text" value = "<?php echo $someVarThatNeedsFiltering ?>" /> Also, one more question, in my html attributes (Valid ones like class, name, id, style, _target) I use a mixture of double quotes(") and single quotes ('), for quoting my values. Which one should I use or which one is more valid, doubles, or singles? Quote Link to comment Share on other sites More sharing options...
berridgeab Posted January 28, 2011 Author Share Posted January 28, 2011 No worries, it appears the browser converts the entities back to there valid characters at some point. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.