escaping fwrite data?

[Monkuar]

do we need to escape data that is entered into fwrite into a file?

 

my code:

 

$fh = @fopen('terms.html', 'wb');
fwrite($fh, ''.$_POST['Post'].'');
fclose($fh);

 

simple terms of service here, should i do mysql_real_escape_String and other sanitizing options or is it fine? will it ever result in an error if someone injecting malicious code?

 

[Adam]

Depends what the file is going to be used for..?

[Christian F.]

Since it's a HTML file, you should use htmlspecialchars (), unless you want to allow HTML markup to be written to the file.

But again, as Adam said: Output escaping depends upon the system you're outputting content to, and whether or not you want the content to be perceived as pure data or as syntax.

 

As for mysql_real_escape_string (): Ask yourself if you are going to save the file in a MySQL database.

[Monkuar]

Well, It will just be store basic html so I can use terms.html wherever I want globally.

 

I guess I will just leave it like it is, maybe put a strlen max characters or something.  Thanks all

[Christian F.]

You're welcome.