I wonder if there's any downside or bad practice in doing the following procedure:
- $user_input -> htmlentities($user_input) -> mysql_escape($user_input) -> insert $user_input into DB
- Select $user_input from DB -> echo $user_input
instead of doing the following:
- $user_input -> mysql_escape($user_input) -> insert $user_input into DB
- Select $user_input from DB -> echo htmlentities($user_input)
As we display the same $user_input on a lot of places it feels more efficient do to it on the input instead, are there any downsides / bad practice / exploit-ability in doing it this way?
Cheers!
Good replies to the question from:
@Matt: In general, to keep things readable and maintainable, try to store it as close to the original, unfiltered content as possible. It depends on two things:
Is any other person/program going to reference this data?
Does the data need to be easily editable?
@Sjoerd: There is a downside if you want to display the data as something else than HTML, e.g. a CSV download, PDF, etc.
It depends on two things:
- Is any other person/program going to reference this data?
- Does the data need to be easily editable?
The advantage of method one is that, in the case that the data is used in one place, and htmlentities() would be called every time, you'd be saving this step.
However, this would only leave a notable improvement if the HTML data is very large. In general, to keep things readable and maintainable, try to store it as close to the original, unfiltered content as possible.
In fact, you might find that HTML is the wrong thing to store anyway. It might be better to store something like Markdown and simply convert it to HTML when viewed.
I'd advice against it. If you ever need that data for anything other than displaying it as HTML (display in console, send in text email, write to log, etc) , you'll have to convert it back.
A good practice is to apply such transformations only at the last moment. Use mysql_escape before inserting into the database, use htmlentities (or htmlspecialchars) before displaying as HTML. That way you always know where your escape functions should be. If they're not there, you can easily tell you're doing something wrong. You also know that data in the database is always clean and you don't need to remember if you encoded it, what with and how to turn it back.
There is a downside if you want to display the data as something else than HTML, e.g. a CSV download, PDF, etc.
{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://img.manongdao.com/sparkler-677774__340.jpg', '推荐 太酷不给撩 的文章《PHP htmlentities() on input before DB insert, inst》','https://www.manongdao.com/article-242026.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}