Monkuar Posted September 20, 2012 Share Posted September 20, 2012 do we need to escape data that is entered into fwrite into a file? my code: $fh = @fopen('terms.html', 'wb'); fwrite($fh, ''.$_POST['Post'].''); fclose($fh); simple terms of service here, should i do mysql_real_escape_String and other sanitizing options or is it fine? will it ever result in an error if someone injecting malicious code? Quote Link to comment Share on other sites More sharing options...
Adam Posted September 20, 2012 Share Posted September 20, 2012 Depends what the file is going to be used for..? Quote Link to comment Share on other sites More sharing options...
Christian F. Posted September 20, 2012 Share Posted September 20, 2012 Since it's a HTML file, you should use htmlspecialchars (), unless you want to allow HTML markup to be written to the file. But again, as Adam said: Output escaping depends upon the system you're outputting content to, and whether or not you want the content to be perceived as pure data or as syntax. As for mysql_real_escape_string (): Ask yourself if you are going to save the file in a MySQL database. Quote Link to comment Share on other sites More sharing options...
Monkuar Posted September 20, 2012 Author Share Posted September 20, 2012 Well, It will just be store basic html so I can use terms.html wherever I want globally. I guess I will just leave it like it is, maybe put a strlen max characters or something. Thanks all Quote Link to comment Share on other sites More sharing options...
Christian F. Posted September 20, 2012 Share Posted September 20, 2012 You're welcome. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.