My Approach while INSERT’ing INTO MySql
I think I read in stackoverflow.com that “if you need escaping or similar action, do it just in time you need” so in the verification pages that I verify the user inputs (null or not check, length check and structural checks (eg: mail structure, custom tags structures); I use the $_POST['']
variables as inputs. During verifications, even in the custom error printing parts, my error messages does not include any of $_POST['']
values in message texts.
As an interim note: I utilize prepared statements and parameterized queries during php-MySql interactions. If inputs are verified; just before INSERT’ing INTO MySql, I strip the tags from input since I don’t allow any html tags other than custom structured tags. (for example **bold text** === <strong>bold text</strong>
) Then I insert the user input into MySql db.
My Approach while fetching from MySql & printing the output to the screen
I only apply htmlspecialchars() command to print out to the screen from MySql db
My Question
I am not sure of myself. Is there any obvious or hidden weakness in my approach? Thanks in advance for php gurus’ valuable comments. BR
UPDATE
I won't strip tags during insert into MySql db. For reasons, Please refer to comments of ÁlvaroG.Vicario below. BR.
I tried code below in trial.php
results of trial.php
resulted procedure while INSERT’ing INTO MySQL & fetching from MySQL and printing the output to screen
strip_tags()
will disrupt what the user exactly cared typing just likehtmlspecialchars()
ORhtmlentities()
will do also.htmlspecialchars()
so what the user exactly cared typing won't break and possible malicious special characters will be converted to their corresponding HTML entitiesThe discussion thus far has been about protecting from SQL Injection and Persistent cross site scripting. It sounds like you're on the right track.
the escape syntax for the part of the HTML document you're putting untrusted data into.
"