PHP santization of textarea inputA take on DB Abstraction - PHP / MySqlPHP-Mysqli example secure?Inline PHP IP access logSanitzing input on form submit with PHPPHP MySQLi database wrapperThree PHP database queries to manage accountsPHP MySQLI Wrapper - SqlObjectLoading CSV into MySQL using OOP PHPusing $_POST array to prepare PDO statement with variablesSimple wrapper for PHP mysqli connection

Could one become a successful researcher by writing some really good papers while being outside academia?

Can I call myself an assistant professor without a PhD?

Why are Gatwick's runways too close together?

English - Acceptable use of parentheses in an author's name

In reversi, can you overwrite two chips in one move?

How to mark beverage cans in a cooler for a blind person?

Are there any differences in causality between linear and logistic regression?

What are good ways to improve as a writer other than writing courses?

How do we avoid CI-driven development...?

How do I explain to a team that the project they will work on for six months will certainly be cancelled?

Can I legally make a real mobile app based on a fictional app from a TV show?

Visa National - No Exit Stamp From France on Return to the UK

First amendment and employment: Can an employer terminate you for speech?

sed delete all the words before a match

Does the United States guarantee any unique freedoms?

How many different ways are there to checkmate in the early game?

How can I iterate this process?

Double blind peer review when paper cites author's GitHub repo for code

Improving software when the author can see no need for improvement

Why couldn't soldiers sight their own weapons without officers' orders?

Can a one way NS Ticket be used as an OV-Chipkaart for P+R Parking in Amsterdam?

Is it incorrect to write "I rate this book a 3 out of 4 stars?"

Is refreshing multiple times a test case for web applications?

Why do oscilloscopes use SMPS instead of linear power supply?



PHP santization of textarea input


A take on DB Abstraction - PHP / MySqlPHP-Mysqli example secure?Inline PHP IP access logSanitzing input on form submit with PHPPHP MySQLi database wrapperThree PHP database queries to manage accountsPHP MySQLI Wrapper - SqlObjectLoading CSV into MySQL using OOP PHPusing $_POST array to prepare PDO statement with variablesSimple wrapper for PHP mysqli connection






.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty margin-bottom:0;








1












$begingroup$


My application will accept textarea content that is submitted by a user, and i would like some people to review my code to make sure there is no security vulnerability such as XSS.



My mySQL column that will save this information is a column of type TEXT and is not required and nullable.



When storing the data to database, my script is doing the following:



// to avoid inserting html tags in the database
$input = str_replace(["<", ">"],"", $_POST['userinput'])

// to avoid saving problematic characters such as quotes
$cleanInput = htmlentities(input , ENT_QUOTES)

// store the content
$addPostStmt = $conn -> prepare("
INSERT INTO posts(description) VALUES ( ?)
");

$addPostStmt -> bind_param("s", $cleanInput);
$addPostStmtExecute = $addPostStmt -> execute();


When presenting the data to the user, the script is doing the following:



<?php echo htmlspecialchars(html_entity_decode($post['description']), ENT_SUBSTITUTE); ?>









share|improve this question











$endgroup$













  • $begingroup$
    What's the logic behind doing htmlspecialchars/ html_entity_decode/ then htmlspecialchars again?
    $endgroup$
    – Your Common Sense
    9 hours ago










  • $begingroup$
    @YourCommonSense not sure what you mean by htmlspecialchars again, i am only doing it one, after decoding the html entities. its mostly incase something slips through
    $endgroup$
    – pabloBar
    8 hours ago











  • $begingroup$
    htmlspecialchars and htmlentities is virtually the same, so what's the point doing the same job twice?
    $endgroup$
    – Your Common Sense
    8 hours ago










  • $begingroup$
    Or to put it the other way, what's the point in doing entity encode and then decode?
    $endgroup$
    – Your Common Sense
    8 hours ago

















1












$begingroup$


My application will accept textarea content that is submitted by a user, and i would like some people to review my code to make sure there is no security vulnerability such as XSS.



My mySQL column that will save this information is a column of type TEXT and is not required and nullable.



When storing the data to database, my script is doing the following:



// to avoid inserting html tags in the database
$input = str_replace(["<", ">"],"", $_POST['userinput'])

// to avoid saving problematic characters such as quotes
$cleanInput = htmlentities(input , ENT_QUOTES)

// store the content
$addPostStmt = $conn -> prepare("
INSERT INTO posts(description) VALUES ( ?)
");

$addPostStmt -> bind_param("s", $cleanInput);
$addPostStmtExecute = $addPostStmt -> execute();


When presenting the data to the user, the script is doing the following:



<?php echo htmlspecialchars(html_entity_decode($post['description']), ENT_SUBSTITUTE); ?>









share|improve this question











$endgroup$













  • $begingroup$
    What's the logic behind doing htmlspecialchars/ html_entity_decode/ then htmlspecialchars again?
    $endgroup$
    – Your Common Sense
    9 hours ago










  • $begingroup$
    @YourCommonSense not sure what you mean by htmlspecialchars again, i am only doing it one, after decoding the html entities. its mostly incase something slips through
    $endgroup$
    – pabloBar
    8 hours ago











  • $begingroup$
    htmlspecialchars and htmlentities is virtually the same, so what's the point doing the same job twice?
    $endgroup$
    – Your Common Sense
    8 hours ago










  • $begingroup$
    Or to put it the other way, what's the point in doing entity encode and then decode?
    $endgroup$
    – Your Common Sense
    8 hours ago













1












1








1





$begingroup$


My application will accept textarea content that is submitted by a user, and i would like some people to review my code to make sure there is no security vulnerability such as XSS.



My mySQL column that will save this information is a column of type TEXT and is not required and nullable.



When storing the data to database, my script is doing the following:



// to avoid inserting html tags in the database
$input = str_replace(["<", ">"],"", $_POST['userinput'])

// to avoid saving problematic characters such as quotes
$cleanInput = htmlentities(input , ENT_QUOTES)

// store the content
$addPostStmt = $conn -> prepare("
INSERT INTO posts(description) VALUES ( ?)
");

$addPostStmt -> bind_param("s", $cleanInput);
$addPostStmtExecute = $addPostStmt -> execute();


When presenting the data to the user, the script is doing the following:



<?php echo htmlspecialchars(html_entity_decode($post['description']), ENT_SUBSTITUTE); ?>









share|improve this question











$endgroup$




My application will accept textarea content that is submitted by a user, and i would like some people to review my code to make sure there is no security vulnerability such as XSS.



My mySQL column that will save this information is a column of type TEXT and is not required and nullable.



When storing the data to database, my script is doing the following:



// to avoid inserting html tags in the database
$input = str_replace(["<", ">"],"", $_POST['userinput'])

// to avoid saving problematic characters such as quotes
$cleanInput = htmlentities(input , ENT_QUOTES)

// store the content
$addPostStmt = $conn -> prepare("
INSERT INTO posts(description) VALUES ( ?)
");

$addPostStmt -> bind_param("s", $cleanInput);
$addPostStmtExecute = $addPostStmt -> execute();


When presenting the data to the user, the script is doing the following:



<?php echo htmlspecialchars(html_entity_decode($post['description']), ENT_SUBSTITUTE); ?>






php mysql mysqli escaping






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited 9 hours ago









200_success

135k21 gold badges173 silver badges443 bronze badges




135k21 gold badges173 silver badges443 bronze badges










asked 9 hours ago









pabloBarpabloBar

284 bronze badges




284 bronze badges














  • $begingroup$
    What's the logic behind doing htmlspecialchars/ html_entity_decode/ then htmlspecialchars again?
    $endgroup$
    – Your Common Sense
    9 hours ago










  • $begingroup$
    @YourCommonSense not sure what you mean by htmlspecialchars again, i am only doing it one, after decoding the html entities. its mostly incase something slips through
    $endgroup$
    – pabloBar
    8 hours ago











  • $begingroup$
    htmlspecialchars and htmlentities is virtually the same, so what's the point doing the same job twice?
    $endgroup$
    – Your Common Sense
    8 hours ago










  • $begingroup$
    Or to put it the other way, what's the point in doing entity encode and then decode?
    $endgroup$
    – Your Common Sense
    8 hours ago
















  • $begingroup$
    What's the logic behind doing htmlspecialchars/ html_entity_decode/ then htmlspecialchars again?
    $endgroup$
    – Your Common Sense
    9 hours ago










  • $begingroup$
    @YourCommonSense not sure what you mean by htmlspecialchars again, i am only doing it one, after decoding the html entities. its mostly incase something slips through
    $endgroup$
    – pabloBar
    8 hours ago











  • $begingroup$
    htmlspecialchars and htmlentities is virtually the same, so what's the point doing the same job twice?
    $endgroup$
    – Your Common Sense
    8 hours ago










  • $begingroup$
    Or to put it the other way, what's the point in doing entity encode and then decode?
    $endgroup$
    – Your Common Sense
    8 hours ago















$begingroup$
What's the logic behind doing htmlspecialchars/ html_entity_decode/ then htmlspecialchars again?
$endgroup$
– Your Common Sense
9 hours ago




$begingroup$
What's the logic behind doing htmlspecialchars/ html_entity_decode/ then htmlspecialchars again?
$endgroup$
– Your Common Sense
9 hours ago












$begingroup$
@YourCommonSense not sure what you mean by htmlspecialchars again, i am only doing it one, after decoding the html entities. its mostly incase something slips through
$endgroup$
– pabloBar
8 hours ago





$begingroup$
@YourCommonSense not sure what you mean by htmlspecialchars again, i am only doing it one, after decoding the html entities. its mostly incase something slips through
$endgroup$
– pabloBar
8 hours ago













$begingroup$
htmlspecialchars and htmlentities is virtually the same, so what's the point doing the same job twice?
$endgroup$
– Your Common Sense
8 hours ago




$begingroup$
htmlspecialchars and htmlentities is virtually the same, so what's the point doing the same job twice?
$endgroup$
– Your Common Sense
8 hours ago












$begingroup$
Or to put it the other way, what's the point in doing entity encode and then decode?
$endgroup$
– Your Common Sense
8 hours ago




$begingroup$
Or to put it the other way, what's the point in doing entity encode and then decode?
$endgroup$
– Your Common Sense
8 hours ago










1 Answer
1






active

oldest

votes


















3












$begingroup$

No, don't do that. You seem to be filtering and escaping values out of paranoia rather than understanding what exactly would lead to a vulnerability. As a result, you are corrupting your data.



A well designed application should use the database to store the value that the user typed into the textarea, not some mangled representation of it. If you mangle the data like that before storing it, then:



  • Certain characters that the user typed get dropped. (What if the user input is x + 3 < 5? The data would no longer make sense after you drop the < character.)

  • Your database is not reliably searchable. (What if the user input is She said "yes!"? Then you would store a value in the database with &quot; in it.)

  • If you arbitrarily apply escaping to string just in case, then you'll have a hard time keeping track of how to unescape it correctly when regurgitating the data. (This often leads to bugs where the user sees garbage like his &amp; hers, or even worse, his &amp;amp; hers.)

What's the right way? Don't mangle the data; just store it faithfully:



// store the content
$addPostStmt = $conn -> prepare("
INSERT INTO posts(description) VALUES (?)
");

$addPostStmt -> bind_param("s", $_POST['userinput']);
$addPostStmtExecute = $addPostStmt -> execute();


When outputting the data as HTML, apply HTML escaping:



<th>Description:</th><td><?php echo htmlspecialchars($description); ?></td>





share|improve this answer











$endgroup$














  • $begingroup$
    escaping values out of paranoia, that is correct tbh. As i dont have a alot of experience with php and mysql, i chose to be very careful to what to add to my database. 1. < and > does not get used usually when writing content like articles and description. So i thought it would be safer to remove it. The content wont be related to math but i see your point. But instead of filtering out these character, is ok to filter <script instead in case someday i forgot to use htmlspecialchars
    $endgroup$
    – pabloBar
    4 hours ago











  • $begingroup$
    2. and 3. True and i completely agree, but the reason i chose to do it like that is because i was not really certain if there where any magical/non-visible character that might cause a problem with sql. But as long i am using prepared statments i guess i should be fine. Are there edge case scenarios that i should be aware of, where having quote characters in the database might be dangerous?
    $endgroup$
    – pabloBar
    4 hours ago











  • $begingroup$
    Nothing more to worry about. You're using the database API correctly. Just trust that it does the right thing, and don't apply any extra data-corrupting transformations. As long you call htmlspecialchars() when outputting the string as HTML, that will correctly take care of XSS concerns.
    $endgroup$
    – 200_success
    2 hours ago













Your Answer






StackExchange.ifUsing("editor", function ()
StackExchange.using("externalEditor", function ()
StackExchange.using("snippets", function ()
StackExchange.snippets.init();
);
);
, "code-snippets");

StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "196"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);













draft saved

draft discarded


















StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcodereview.stackexchange.com%2fquestions%2f225894%2fphp-santization-of-textarea-input%23new-answer', 'question_page');

);

Post as a guest















Required, but never shown

























1 Answer
1






active

oldest

votes








1 Answer
1






active

oldest

votes









active

oldest

votes






active

oldest

votes









3












$begingroup$

No, don't do that. You seem to be filtering and escaping values out of paranoia rather than understanding what exactly would lead to a vulnerability. As a result, you are corrupting your data.



A well designed application should use the database to store the value that the user typed into the textarea, not some mangled representation of it. If you mangle the data like that before storing it, then:



  • Certain characters that the user typed get dropped. (What if the user input is x + 3 < 5? The data would no longer make sense after you drop the < character.)

  • Your database is not reliably searchable. (What if the user input is She said "yes!"? Then you would store a value in the database with &quot; in it.)

  • If you arbitrarily apply escaping to string just in case, then you'll have a hard time keeping track of how to unescape it correctly when regurgitating the data. (This often leads to bugs where the user sees garbage like his &amp; hers, or even worse, his &amp;amp; hers.)

What's the right way? Don't mangle the data; just store it faithfully:



// store the content
$addPostStmt = $conn -> prepare("
INSERT INTO posts(description) VALUES (?)
");

$addPostStmt -> bind_param("s", $_POST['userinput']);
$addPostStmtExecute = $addPostStmt -> execute();


When outputting the data as HTML, apply HTML escaping:



<th>Description:</th><td><?php echo htmlspecialchars($description); ?></td>





share|improve this answer











$endgroup$














  • $begingroup$
    escaping values out of paranoia, that is correct tbh. As i dont have a alot of experience with php and mysql, i chose to be very careful to what to add to my database. 1. < and > does not get used usually when writing content like articles and description. So i thought it would be safer to remove it. The content wont be related to math but i see your point. But instead of filtering out these character, is ok to filter <script instead in case someday i forgot to use htmlspecialchars
    $endgroup$
    – pabloBar
    4 hours ago











  • $begingroup$
    2. and 3. True and i completely agree, but the reason i chose to do it like that is because i was not really certain if there where any magical/non-visible character that might cause a problem with sql. But as long i am using prepared statments i guess i should be fine. Are there edge case scenarios that i should be aware of, where having quote characters in the database might be dangerous?
    $endgroup$
    – pabloBar
    4 hours ago











  • $begingroup$
    Nothing more to worry about. You're using the database API correctly. Just trust that it does the right thing, and don't apply any extra data-corrupting transformations. As long you call htmlspecialchars() when outputting the string as HTML, that will correctly take care of XSS concerns.
    $endgroup$
    – 200_success
    2 hours ago















3












$begingroup$

No, don't do that. You seem to be filtering and escaping values out of paranoia rather than understanding what exactly would lead to a vulnerability. As a result, you are corrupting your data.



A well designed application should use the database to store the value that the user typed into the textarea, not some mangled representation of it. If you mangle the data like that before storing it, then:



  • Certain characters that the user typed get dropped. (What if the user input is x + 3 < 5? The data would no longer make sense after you drop the < character.)

  • Your database is not reliably searchable. (What if the user input is She said "yes!"? Then you would store a value in the database with &quot; in it.)

  • If you arbitrarily apply escaping to string just in case, then you'll have a hard time keeping track of how to unescape it correctly when regurgitating the data. (This often leads to bugs where the user sees garbage like his &amp; hers, or even worse, his &amp;amp; hers.)

What's the right way? Don't mangle the data; just store it faithfully:



// store the content
$addPostStmt = $conn -> prepare("
INSERT INTO posts(description) VALUES (?)
");

$addPostStmt -> bind_param("s", $_POST['userinput']);
$addPostStmtExecute = $addPostStmt -> execute();


When outputting the data as HTML, apply HTML escaping:



<th>Description:</th><td><?php echo htmlspecialchars($description); ?></td>





share|improve this answer











$endgroup$














  • $begingroup$
    escaping values out of paranoia, that is correct tbh. As i dont have a alot of experience with php and mysql, i chose to be very careful to what to add to my database. 1. < and > does not get used usually when writing content like articles and description. So i thought it would be safer to remove it. The content wont be related to math but i see your point. But instead of filtering out these character, is ok to filter <script instead in case someday i forgot to use htmlspecialchars
    $endgroup$
    – pabloBar
    4 hours ago











  • $begingroup$
    2. and 3. True and i completely agree, but the reason i chose to do it like that is because i was not really certain if there where any magical/non-visible character that might cause a problem with sql. But as long i am using prepared statments i guess i should be fine. Are there edge case scenarios that i should be aware of, where having quote characters in the database might be dangerous?
    $endgroup$
    – pabloBar
    4 hours ago











  • $begingroup$
    Nothing more to worry about. You're using the database API correctly. Just trust that it does the right thing, and don't apply any extra data-corrupting transformations. As long you call htmlspecialchars() when outputting the string as HTML, that will correctly take care of XSS concerns.
    $endgroup$
    – 200_success
    2 hours ago













3












3








3





$begingroup$

No, don't do that. You seem to be filtering and escaping values out of paranoia rather than understanding what exactly would lead to a vulnerability. As a result, you are corrupting your data.



A well designed application should use the database to store the value that the user typed into the textarea, not some mangled representation of it. If you mangle the data like that before storing it, then:



  • Certain characters that the user typed get dropped. (What if the user input is x + 3 < 5? The data would no longer make sense after you drop the < character.)

  • Your database is not reliably searchable. (What if the user input is She said "yes!"? Then you would store a value in the database with &quot; in it.)

  • If you arbitrarily apply escaping to string just in case, then you'll have a hard time keeping track of how to unescape it correctly when regurgitating the data. (This often leads to bugs where the user sees garbage like his &amp; hers, or even worse, his &amp;amp; hers.)

What's the right way? Don't mangle the data; just store it faithfully:



// store the content
$addPostStmt = $conn -> prepare("
INSERT INTO posts(description) VALUES (?)
");

$addPostStmt -> bind_param("s", $_POST['userinput']);
$addPostStmtExecute = $addPostStmt -> execute();


When outputting the data as HTML, apply HTML escaping:



<th>Description:</th><td><?php echo htmlspecialchars($description); ?></td>





share|improve this answer











$endgroup$



No, don't do that. You seem to be filtering and escaping values out of paranoia rather than understanding what exactly would lead to a vulnerability. As a result, you are corrupting your data.



A well designed application should use the database to store the value that the user typed into the textarea, not some mangled representation of it. If you mangle the data like that before storing it, then:



  • Certain characters that the user typed get dropped. (What if the user input is x + 3 < 5? The data would no longer make sense after you drop the < character.)

  • Your database is not reliably searchable. (What if the user input is She said "yes!"? Then you would store a value in the database with &quot; in it.)

  • If you arbitrarily apply escaping to string just in case, then you'll have a hard time keeping track of how to unescape it correctly when regurgitating the data. (This often leads to bugs where the user sees garbage like his &amp; hers, or even worse, his &amp;amp; hers.)

What's the right way? Don't mangle the data; just store it faithfully:



// store the content
$addPostStmt = $conn -> prepare("
INSERT INTO posts(description) VALUES (?)
");

$addPostStmt -> bind_param("s", $_POST['userinput']);
$addPostStmtExecute = $addPostStmt -> execute();


When outputting the data as HTML, apply HTML escaping:



<th>Description:</th><td><?php echo htmlspecialchars($description); ?></td>






share|improve this answer














share|improve this answer



share|improve this answer








edited 2 hours ago

























answered 8 hours ago









200_success200_success

135k21 gold badges173 silver badges443 bronze badges




135k21 gold badges173 silver badges443 bronze badges














  • $begingroup$
    escaping values out of paranoia, that is correct tbh. As i dont have a alot of experience with php and mysql, i chose to be very careful to what to add to my database. 1. < and > does not get used usually when writing content like articles and description. So i thought it would be safer to remove it. The content wont be related to math but i see your point. But instead of filtering out these character, is ok to filter <script instead in case someday i forgot to use htmlspecialchars
    $endgroup$
    – pabloBar
    4 hours ago











  • $begingroup$
    2. and 3. True and i completely agree, but the reason i chose to do it like that is because i was not really certain if there where any magical/non-visible character that might cause a problem with sql. But as long i am using prepared statments i guess i should be fine. Are there edge case scenarios that i should be aware of, where having quote characters in the database might be dangerous?
    $endgroup$
    – pabloBar
    4 hours ago











  • $begingroup$
    Nothing more to worry about. You're using the database API correctly. Just trust that it does the right thing, and don't apply any extra data-corrupting transformations. As long you call htmlspecialchars() when outputting the string as HTML, that will correctly take care of XSS concerns.
    $endgroup$
    – 200_success
    2 hours ago
















  • $begingroup$
    escaping values out of paranoia, that is correct tbh. As i dont have a alot of experience with php and mysql, i chose to be very careful to what to add to my database. 1. < and > does not get used usually when writing content like articles and description. So i thought it would be safer to remove it. The content wont be related to math but i see your point. But instead of filtering out these character, is ok to filter <script instead in case someday i forgot to use htmlspecialchars
    $endgroup$
    – pabloBar
    4 hours ago











  • $begingroup$
    2. and 3. True and i completely agree, but the reason i chose to do it like that is because i was not really certain if there where any magical/non-visible character that might cause a problem with sql. But as long i am using prepared statments i guess i should be fine. Are there edge case scenarios that i should be aware of, where having quote characters in the database might be dangerous?
    $endgroup$
    – pabloBar
    4 hours ago











  • $begingroup$
    Nothing more to worry about. You're using the database API correctly. Just trust that it does the right thing, and don't apply any extra data-corrupting transformations. As long you call htmlspecialchars() when outputting the string as HTML, that will correctly take care of XSS concerns.
    $endgroup$
    – 200_success
    2 hours ago















$begingroup$
escaping values out of paranoia, that is correct tbh. As i dont have a alot of experience with php and mysql, i chose to be very careful to what to add to my database. 1. < and > does not get used usually when writing content like articles and description. So i thought it would be safer to remove it. The content wont be related to math but i see your point. But instead of filtering out these character, is ok to filter <script instead in case someday i forgot to use htmlspecialchars
$endgroup$
– pabloBar
4 hours ago





$begingroup$
escaping values out of paranoia, that is correct tbh. As i dont have a alot of experience with php and mysql, i chose to be very careful to what to add to my database. 1. < and > does not get used usually when writing content like articles and description. So i thought it would be safer to remove it. The content wont be related to math but i see your point. But instead of filtering out these character, is ok to filter <script instead in case someday i forgot to use htmlspecialchars
$endgroup$
– pabloBar
4 hours ago













$begingroup$
2. and 3. True and i completely agree, but the reason i chose to do it like that is because i was not really certain if there where any magical/non-visible character that might cause a problem with sql. But as long i am using prepared statments i guess i should be fine. Are there edge case scenarios that i should be aware of, where having quote characters in the database might be dangerous?
$endgroup$
– pabloBar
4 hours ago





$begingroup$
2. and 3. True and i completely agree, but the reason i chose to do it like that is because i was not really certain if there where any magical/non-visible character that might cause a problem with sql. But as long i am using prepared statments i guess i should be fine. Are there edge case scenarios that i should be aware of, where having quote characters in the database might be dangerous?
$endgroup$
– pabloBar
4 hours ago













$begingroup$
Nothing more to worry about. You're using the database API correctly. Just trust that it does the right thing, and don't apply any extra data-corrupting transformations. As long you call htmlspecialchars() when outputting the string as HTML, that will correctly take care of XSS concerns.
$endgroup$
– 200_success
2 hours ago




$begingroup$
Nothing more to worry about. You're using the database API correctly. Just trust that it does the right thing, and don't apply any extra data-corrupting transformations. As long you call htmlspecialchars() when outputting the string as HTML, that will correctly take care of XSS concerns.
$endgroup$
– 200_success
2 hours ago

















draft saved

draft discarded
















































Thanks for contributing an answer to Code Review Stack Exchange!


  • Please be sure to answer the question. Provide details and share your research!

But avoid


  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.

Use MathJax to format equations. MathJax reference.


To learn more, see our tips on writing great answers.




draft saved


draft discarded














StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcodereview.stackexchange.com%2fquestions%2f225894%2fphp-santization-of-textarea-input%23new-answer', 'question_page');

);

Post as a guest















Required, but never shown





















































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown

































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown







Popular posts from this blog

Canceling a color specificationRandomly assigning color to Graphics3D objects?Default color for Filling in Mathematica 9Coloring specific elements of sets with a prime modified order in an array plotHow to pick a color differing significantly from the colors already in a given color list?Detection of the text colorColor numbers based on their valueCan color schemes for use with ColorData include opacity specification?My dynamic color schemes

Invision Community Contents History See also References External links Navigation menuProprietaryinvisioncommunity.comIPS Community ForumsIPS Community Forumsthis blog entry"License Changes, IP.Board 3.4, and the Future""Interview -- Matt Mecham of Ibforums""CEO Invision Power Board, Matt Mecham Is a Liar, Thief!"IPB License Explanation 1.3, 1.3.1, 2.0, and 2.1ArchivedSecurity Fixes, Updates And Enhancements For IPB 1.3.1Archived"New Demo Accounts - Invision Power Services"the original"New Default Skin"the original"Invision Power Board 3.0.0 and Applications Released"the original"Archived copy"the original"Perpetual licenses being done away with""Release Notes - Invision Power Services""Introducing: IPS Community Suite 4!"Invision Community Release Notes

199年 目錄 大件事 到箇年出世嗰人 到箇年死嗰人 節慶、風俗習慣 導覽選單