Cleaning information retrieved from database

[hadoob024]

I was reading through this PHP security book and it recommends cleaning/screening/sanitizing information retrieved from the db prior to displaying it. Is this something that everyone recommends, or is it considered overkill?

[craygo]

Depends on what you are retrieving. Most of the time text, number don't need and kind of formating or cleaning. but long text fields with say html or line breaks or thing like that would need to be so called "cleaned" to display properly. It all depends on the type of data you are storing.

Ray

[hadoob024]

Well, this is for a real estate website, so let's see, I have 8 small text fields (like around 30 chars), 2 integer fields, and 1 field for a listing description that's 240 chars max. Like I know to use htmlentities() to clean up these fields for proper display, but do I need to run everything through some eregi() checks or something to validate the information again before displaying it? Or does this all depend on how secure the db server is?

[AndyB]

I'd suggest re-reading that part of the book. Good practice would be to clean/screen/sanitize data [b]before adding[/b] it to the database.

[hadoob024]

Yup. I do that too. I check lengths and type of info entered into the form, then I set a variable equal to the $_POST variable passed thru. I then verify it using eregi(). I also use trim(), strip_tags(), etc. And only after it passes all these checks do I actually store the info in the db. But the book suggested that just to be on the safe side, to also then verify the info when it's pulled out of the db but before displaying it.