开发者

Should htmlspecialchars() be used on information on input or just before output?

I take $_POST information and store it in a DB and later on query and print this information to the user. Should I use htmlspecialchars() before inserting this info or after I query it before I output it?

In addition I开发者_如何学JAVA need the ability for users to have the ability to use quotes and other everyday special chars. I know I can use the flag ENT_NOQUOTES but it feels like if I do that it leaves security holes.

My site allows Bbcode and I want users to be able to use everyday characters without having to see "amp;lt;<?>&".

Patience with me <--- noob is encouraged! Thanks :D


Should I use htmlspecialchars() before inserting this info or after I query it before I output it?

Escape data for the target code just before you insert it. i.e. Just before you output it.

This means that you will keep the data in its original form for other purposes (e.g. outputting to the user for editing, including in an email, generating a PDF, searching, etc)

In addition I need the ability for users to have the ability to use quotes and other everyday special chars. I know I can use the flag ENT_NOQUOTES but it feels like if I do that it leaves security holes.

htmlspecialchars() will convert quotes in the inputted data into HTML. So you don't need to do anything special.

My site allows Bbcode

Then you need to have a proper BBCode parser.


htmlspecialchars() is used before output to avoid XSS. And the database should better save the user's raw input.

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜