Do I have to protect input from users when I insert that information to file?

So, we all know, that if user enters something into input and we put it to database, we have to make it safe (use mysql_escape_string and s开发者_如何转开发o on).

But when we add user's input to file, do we need to protect it either (besides htmlspecialchars)?

Thank you.

That highly depends on what happens to the data afterwards. You don't need to escape it (as there is no such thing like "file injection"), but you should be careful when printing the content back to the browser. (strip_tags and/or htmlspecialchars)

will those files ever be viewed in a way that would make the client process/machine vulnerable?

If I embed a malicious javascript script that does bad things to your machine, does it matter to you if it's displayed from a DB or from a file in your browser?

In general, if there's no reason for the user to ever enter a certain character, then don't allow it. I usually implement these by whitelists as opposed to blacklists. Define what a valid field looks like, and allow only those characters that are mandatory.

To answer your question directly, No.