Security question

[neron-fx]

Hi guys and gals,

 

I am currently working on a database class in OOP PHP5. Its a class which can connect to a database, dynamically build, generate and execute queries and return results.

 

I just have a quick question. I am quite aware of all the ways people can attack databases, web servers etc through badly coded PHP and have tried to make my class a secure as possible. All data being passed to the database is thoroughly validated with my extensive validation class then I use stripslashes() to remove the abomination that is magic_quotes and then run it through mysqli_real_escape_string() this along with my extensive validation protects against SQL injection attacks. However I am now looking into protection against XSS Attacks. I am well in the habit of using htmlentities() function on all text to be output to the browser and this does stop most XSS attacks. However my question is should I use htmlentities() to encode data before it is sent to the database or just encode it before I output it? Will encoding it before stop mysqli_real_escape_string form working properly? It is easier to encode it before insertion to the DB because you dont have to encode all your output on everypage that displays data from the database. What do you all recommend?

 

Sorry for the long post and thanks for your time

 

Kind Regards

Rob

[Daniel0]

It doesn't really matter. I use it right before outputting it, but if you want to you can use it before even inserting it into the database.

 

Oh, and please use the correct forum. This isn't either a question, comment or suggestion to PHP Freaks.