All geek questions in one place

Should htmlspecialchars () be used for input information or just before exiting?

I take the information $ _POST and save it in the database, and then in the request and print this information to the user. Should I use htmlspecialchars () before inserting this information or after requesting before outputting it?

In addition, I need the ability for users to be able to use quotation marks and other ordinary special characters. I know that I can use the ENT_NOQUOTES flag, but it seems to me that if I do this, it will leave holes in security.

My site allows Bbcode, and I want users to be able to use regular characters without having to see "amp; lt; & lt; & gt; &".

Patience with me <--- noob recommended! Thanks: D

+4
source share
2 answers

Should I use htmlspecialchars () before inserting this information or after requesting before outputting it?

Delete the data for the target code immediately before inserting it. for example, before its release.

This means that you save the data in the original form for other purposes (for example, for the user who needs to edit, including in an email, create a PDF file, search, etc.)

In addition, I need the ability for users to be able to use quotation marks and other ordinary special characters. I know that I can use the ENT_NOQUOTES flag, but it seems to me that if I do this, it will leave holes in security.

htmlspecialchars() converts quotation marks to input in HTML. Therefore, you do not need to do anything special.

My site allows bbcode

Then you need to have your own BBCode parser.

+7
source

htmlspecialchars() used before exiting to avoid XSS. And the database should better preserve the user's original input.

+1
source

Source: https://habr.com/ru/post/1369676/

More articles:


All Articles