What is the correct encoding / escaping / htmlentities needed when sending data from js to php, php to mysql, and for REST json responses

This is something I encounter often, and I usually end up resorting to the try and try again method until the data works. I figured SO would know what the best practice开发者_Go百科 is in order to maintain the data and not mess up the json.

Let's assume the data I want to send is text data of the most annoying sort - special characters, &,<,", \n, \n\r, \t, +, etc.

Let's also assume I want to keep everything in utf8, and my mysql table is configured to be utf8. However, since PHP's utf8 support is lacking, this should be considered.

What encoding / escaping / htmlentities should I be doing from:

1) Sending JSON data from client JS to PHP via AJAX POST (anything different for GET?)

2) Decoding data in PHP and storing text string in mysql database (or store the escaped/encoded data? )

3) Retrieving data from MySQL DB in PHP and returned as JSON response to JS AJAX request

4) In a JSON response from our REST api

Whenever I use php/mysql/jquery to pass data back and forth, I end up using the following combination of encodings/escapings, and it seems to work well for me.

1) you don't need to do anything here, UNLESS you are sending a URL (I think this is only for GET requests) - but if you're sending a url you need to use encodeURIComponent(url), which will properly escape the &'s and special characters in the url (see more here).

2) Use mysqli and bound parameters, it will do all the escaping for you (read about it here)

3) I always use this when echoing data into an HTML file :

<?php
  htmlspecialchars($string_to_escape, ENT_QUOTES, 'UTF-8', false);
?>

This will properly encode all special characters (the false is for "no double encoding"). Also make sure you the proper UTF-8 meta tags at the top of your html pages.

4) Using json_encode should always escape your data properly, but I would use the code from #3 just to make sure. But you'll probably only need it if you're returning data with special characters in it.

1. for sending json data to php you don't have to do anything special. JSON is just a serialized javascript 'variable'
2. use prepared statements! do not try to decode/strip/alter the content with php
3. use the appropriate functions to escape data for json (I don't know if there's a builtin php function for that)
4. same as 3.