A quick verification please htmlentities()

[Spring]

So, If I want to store something like:

 

Hello<br />
<b>This is a sentence </b>

 

I would need to use

htmlentities

 

So I could output the HTML after it's stored in the database safely?

[Psycho]

Typically, you want to store the data in its original format. Then, translate the data at the time you are going to output it.

 

Here are a couple reasons why this is a better approach, IMO:

 

1. If you run the input through htmlentities(), or any other translation, you will expand the size of the content. This can cause problems when you are trying to define the size of your database fields. E.g. if you have a field that you only want to allow the user to enter 20 characters you will have to make the database field much larger to accommodate the content after it is run through htmlentities(). It would be uncommon for a user to enter A LOT of characters that would need to be converted. But, how many do you account for? To cover the absolute worst case scenario you would have to make the DB field at least 120 characters!

 

2. If you ever want to output the data into something other than an HTML page you will have to try and reverse the process of htmlentities(). By keeping the content in its original form you can easily translate the content for any output type you need.

[Spring]

Okay, well storing it in it's original format is fine, should I output it with that function? Or keep it outputted normally as well? I just want to make sure it's safe.

[Psycho]

Okay, well storing it in it's original format is fine, should I output it with that function? Or keep it outputted normally as well? I just want to make sure it's safe.

 

Generally, you would want to use htmlentities() on any user supplied content when using that content in the HTML markup of a page. However, there are limitless scenarios and that is not the correct process for all of them. That is your job to determien what, if anything, needs to be done - and do it.