PHP santization of textarea inputA take on DB Abstraction - PHP / MySqlPHP-Mysqli example secure?Inline PHP IP access logSanitzing input on form submit with PHPPHP MySQLi database wrapperThree PHP database queries to manage accountsPHP MySQLI Wrapper - SqlObjectLoading CSV into MySQL using OOP PHPusing $_POST array to prepare PDO statement with variablesSimple wrapper for PHP mysqli connection

Efficiently pathfinding many flocking enemies around obstacles

Is it safe to remove the bottom chords of a series of garage roof trusses?

Why does trim() NOT remove char 160?

Is "The life is beautiful" incorrect or just very non-idiomatic?

Why does The Ancient One think differently about Doctor Strange in Endgame than the film Doctor Strange?

Is there a known non-euclidean geometry where two concentric circles of different radii can intersect? (as in the novel "The Universe Between")

Is it possible to get crispy, crunchy carrots from canned carrots?

Would this system work to purify water?

Why different interest rates for checking and savings?

Who was president?

Algorithms vs LP or MIP

Are there account age or level requirements for obtaining special research?

Does travel insurance for short flight delays exist?

Can I double-dip a flight and claim it for both United and Lufthansa status miles?

Confirming resignation after resignation letter ripped up

What is this symbol: semicircles facing eachother

Why is Boris Johnson visiting only Paris & Berlin if every member of the EU needs to agree on a withdrawal deal?

Why is less being run unnecessarily by git?

Average period of peer review process

LeetCode: Pascal's Triangle C#

What is the history of the university asylum law?

Why were the crew so desperate to catch Truman and return him to Seahaven?

How to respectfully refuse to assist co-workers with IT issues?

Which household object drew this pattern?



PHP santization of textarea input


A take on DB Abstraction - PHP / MySqlPHP-Mysqli example secure?Inline PHP IP access logSanitzing input on form submit with PHPPHP MySQLi database wrapperThree PHP database queries to manage accountsPHP MySQLI Wrapper - SqlObjectLoading CSV into MySQL using OOP PHPusing $_POST array to prepare PDO statement with variablesSimple wrapper for PHP mysqli connection






.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty margin-bottom:0;








2












$begingroup$


My application will accept textarea content that is submitted by a user, and i would like some people to review my code to make sure there is no security vulnerability such as XSS.



My mySQL column that will save this information is a column of type TEXT and is not required and nullable.



When storing the data to database, my script is doing the following:



// to avoid inserting html tags in the database
$input = str_replace(["<", ">"],"", $_POST['userinput'])

// to avoid saving problematic characters such as quotes 
$cleanInput = htmlentities(input , ENT_QUOTES)

// store the content
$addPostStmt = $conn -> prepare("
 INSERT INTO posts(description) VALUES ( ?)
");

$addPostStmt -> bind_param("s", $cleanInput); 
$addPostStmtExecute = $addPostStmt -> execute();


When presenting the data to the user, the script is doing the following:



<?php echo htmlspecialchars(html_entity_decode($post['description']), ENT_SUBSTITUTE); ?>





php mysql mysqli escaping







share|improve this question











$endgroup$













  • $begingroup$
    What's the logic behind doing htmlspecialchars/ html_entity_decode/ then htmlspecialchars again?
    $endgroup$
    – Your Common Sense
    Aug 10 at 16:43










  • $begingroup$
    @YourCommonSense not sure what you mean by htmlspecialchars again, i am only doing it one, after decoding the html entities. its mostly incase something slips through
    $endgroup$
    – pabloBar
    Aug 10 at 16:55











  • $begingroup$
    htmlspecialchars and htmlentities is virtually the same, so what's the point doing the same job twice?
    $endgroup$
    – Your Common Sense
    Aug 10 at 17:00










  • $begingroup$
    Or to put it the other way, what's the point in doing entity encode and then decode?
    $endgroup$
    – Your Common Sense
    Aug 10 at 17:02

















2












$begingroup$


My application will accept textarea content that is submitted by a user, and i would like some people to review my code to make sure there is no security vulnerability such as XSS.



My mySQL column that will save this information is a column of type TEXT and is not required and nullable.



When storing the data to database, my script is doing the following:



// to avoid inserting html tags in the database
$input = str_replace(["<", ">"],"", $_POST['userinput'])

// to avoid saving problematic characters such as quotes 
$cleanInput = htmlentities(input , ENT_QUOTES)

// store the content
$addPostStmt = $conn -> prepare("
 INSERT INTO posts(description) VALUES ( ?)
");

$addPostStmt -> bind_param("s", $cleanInput); 
$addPostStmtExecute = $addPostStmt -> execute();


When presenting the data to the user, the script is doing the following:



<?php echo htmlspecialchars(html_entity_decode($post['description']), ENT_SUBSTITUTE); ?>





php mysql mysqli escaping







share|improve this question











$endgroup$













  • $begingroup$
    What's the logic behind doing htmlspecialchars/ html_entity_decode/ then htmlspecialchars again?
    $endgroup$
    – Your Common Sense
    Aug 10 at 16:43










  • $begingroup$
    @YourCommonSense not sure what you mean by htmlspecialchars again, i am only doing it one, after decoding the html entities. its mostly incase something slips through
    $endgroup$
    – pabloBar
    Aug 10 at 16:55











  • $begingroup$
    htmlspecialchars and htmlentities is virtually the same, so what's the point doing the same job twice?
    $endgroup$
    – Your Common Sense
    Aug 10 at 17:00










  • $begingroup$
    Or to put it the other way, what's the point in doing entity encode and then decode?
    $endgroup$
    – Your Common Sense
    Aug 10 at 17:02













2












2








2





$begingroup$


My application will accept textarea content that is submitted by a user, and i would like some people to review my code to make sure there is no security vulnerability such as XSS.



My mySQL column that will save this information is a column of type TEXT and is not required and nullable.



When storing the data to database, my script is doing the following:



// to avoid inserting html tags in the database
$input = str_replace(["<", ">"],"", $_POST['userinput'])

// to avoid saving problematic characters such as quotes 
$cleanInput = htmlentities(input , ENT_QUOTES)

// store the content
$addPostStmt = $conn -> prepare("
 INSERT INTO posts(description) VALUES ( ?)
");

$addPostStmt -> bind_param("s", $cleanInput); 
$addPostStmtExecute = $addPostStmt -> execute();


When presenting the data to the user, the script is doing the following:



<?php echo htmlspecialchars(html_entity_decode($post['description']), ENT_SUBSTITUTE); ?>





php mysql mysqli escaping







share|improve this question











$endgroup$




My application will accept textarea content that is submitted by a user, and i would like some people to review my code to make sure there is no security vulnerability such as XSS.



My mySQL column that will save this information is a column of type TEXT and is not required and nullable.



When storing the data to database, my script is doing the following:



// to avoid inserting html tags in the database
$input = str_replace(["<", ">"],"", $_POST['userinput'])

// to avoid saving problematic characters such as quotes 
$cleanInput = htmlentities(input , ENT_QUOTES)

// store the content
$addPostStmt = $conn -> prepare("
 INSERT INTO posts(description) VALUES ( ?)
");

$addPostStmt -> bind_param("s", $cleanInput); 
$addPostStmtExecute = $addPostStmt -> execute();


When presenting the data to the user, the script is doing the following:



<?php echo htmlspecialchars(html_entity_decode($post['description']), ENT_SUBSTITUTE); ?>





php mysql mysqli escaping




php mysql mysqli escaping






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Aug 10 at 16:41









200_success

135k21 gold badges173 silver badges443 bronze badges




135k21 gold badges173 silver badges443 bronze badges










asked Aug 10 at 16:35









pabloBarpabloBar

334 bronze badges




334 bronze badges














  • $begingroup$
    What's the logic behind doing htmlspecialchars/ html_entity_decode/ then htmlspecialchars again?
    $endgroup$
    – Your Common Sense
    Aug 10 at 16:43










  • $begingroup$
    @YourCommonSense not sure what you mean by htmlspecialchars again, i am only doing it one, after decoding the html entities. its mostly incase something slips through
    $endgroup$
    – pabloBar
    Aug 10 at 16:55











  • $begingroup$
    htmlspecialchars and htmlentities is virtually the same, so what's the point doing the same job twice?
    $endgroup$
    – Your Common Sense
    Aug 10 at 17:00










  • $begingroup$
    Or to put it the other way, what's the point in doing entity encode and then decode?
    $endgroup$
    – Your Common Sense
    Aug 10 at 17:02
















  • $begingroup$
    What's the logic behind doing htmlspecialchars/ html_entity_decode/ then htmlspecialchars again?
    $endgroup$
    – Your Common Sense
    Aug 10 at 16:43










  • $begingroup$
    @YourCommonSense not sure what you mean by htmlspecialchars again, i am only doing it one, after decoding the html entities. its mostly incase something slips through
    $endgroup$
    – pabloBar
    Aug 10 at 16:55











  • $begingroup$
    htmlspecialchars and htmlentities is virtually the same, so what's the point doing the same job twice?
    $endgroup$
    – Your Common Sense
    Aug 10 at 17:00










  • $begingroup$
    Or to put it the other way, what's the point in doing entity encode and then decode?
    $endgroup$
    – Your Common Sense
    Aug 10 at 17:02















$begingroup$
What's the logic behind doing htmlspecialchars/ html_entity_decode/ then htmlspecialchars again?
$endgroup$
– Your Common Sense
Aug 10 at 16:43




$begingroup$
What's the logic behind doing htmlspecialchars/ html_entity_decode/ then htmlspecialchars again?
$endgroup$
– Your Common Sense
Aug 10 at 16:43












$begingroup$
@YourCommonSense not sure what you mean by htmlspecialchars again, i am only doing it one, after decoding the html entities. its mostly incase something slips through
$endgroup$
– pabloBar
Aug 10 at 16:55





$begingroup$
@YourCommonSense not sure what you mean by htmlspecialchars again, i am only doing it one, after decoding the html entities. its mostly incase something slips through
$endgroup$
– pabloBar
Aug 10 at 16:55













$begingroup$
htmlspecialchars and htmlentities is virtually the same, so what's the point doing the same job twice?
$endgroup$
– Your Common Sense
Aug 10 at 17:00




$begingroup$
htmlspecialchars and htmlentities is virtually the same, so what's the point doing the same job twice?
$endgroup$
– Your Common Sense
Aug 10 at 17:00












$begingroup$
Or to put it the other way, what's the point in doing entity encode and then decode?
$endgroup$
– Your Common Sense
Aug 10 at 17:02




$begingroup$
Or to put it the other way, what's the point in doing entity encode and then decode?
$endgroup$
– Your Common Sense
Aug 10 at 17:02










1 Answer
1






active

oldest

votes


















6













$begingroup$

No, don't do that. You seem to be filtering and escaping values out of paranoia rather than understanding what exactly would lead to a vulnerability. As a result, you are corrupting your data.



A well designed application should use the database to store the value that the user typed into the textarea, not some mangled representation of it. If you mangle the data like that before storing it, then:



  • Certain characters that the user typed get dropped. (What if the user input is x + 3 < 5? The data would no longer make sense after you drop the < character.)

  • Your database is not reliably searchable. (What if the user input is She said "yes!"? Then you would store a value in the database with &quot; in it.)

  • If you arbitrarily apply escaping to string just in case, then you'll have a hard time keeping track of how to unescape it correctly when regurgitating the data. (This often leads to bugs where the user sees garbage like his &amp; hers, or even worse, his &amp;amp; hers.)

What's the right way? Don't mangle the data; just store it faithfully:



// store the content
$addPostStmt = $conn -> prepare("
 INSERT INTO posts(description) VALUES (?)
");

$addPostStmt -> bind_param("s", $_POST['userinput']); 
$addPostStmtExecute = $addPostStmt -> execute();


When outputting the data as HTML, apply HTML escaping:



<th>Description:</th><td><?php echo htmlspecialchars($description); ?></td>





share|improve this answer











$endgroup$














  • $begingroup$
    escaping values out of paranoia, that is correct tbh. As i dont have a alot of experience with php and mysql, i chose to be very careful to what to add to my database. 1. < and > does not get used usually when writing content like articles and description. So i thought it would be safer to remove it. The content wont be related to math but i see your point. But instead of filtering out these character, is ok to filter <script instead in case someday i forgot to use htmlspecialchars
    $endgroup$
    – pabloBar
    Aug 10 at 21:35











  • $begingroup$
    2. and 3. True and i completely agree, but the reason i chose to do it like that is because i was not really certain if there where any magical/non-visible character that might cause a problem with sql. But as long i am using prepared statments i guess i should be fine. Are there edge case scenarios that i should be aware of, where having quote characters in the database might be dangerous?
    $endgroup$
    – pabloBar
    Aug 10 at 21:36







  • 2




    $begingroup$
    Nothing more to worry about. You're using the database API correctly. Just trust that it does the right thing, and don't apply any extra data-corrupting transformations. As long you call htmlspecialchars() when outputting the string as HTML, that will correctly take care of XSS concerns.
    $endgroup$
    – 200_success
    Aug 10 at 23:06










  • $begingroup$
    just a side question, why did you drop the ENT_SUBSTITUTE flag ?
    $endgroup$
    – pabloBar
    Aug 11 at 20:30










  • $begingroup$
    Because html_entity_decode() should be unnecessary altogether, if you don't apply a superfluous round of encoding with htmlentities().
    $endgroup$
    – 200_success
    Aug 12 at 2:00













Your Answer






StackExchange.ifUsing("editor", function ()
StackExchange.using("externalEditor", function ()
StackExchange.using("snippets", function ()
StackExchange.snippets.init();
);
);
, "code-snippets");

StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "196"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);













draft saved

draft discarded


















StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcodereview.stackexchange.com%2fquestions%2f225894%2fphp-santization-of-textarea-input%23new-answer', 'question_page');

);

Post as a guest















Required, but never shown

























1 Answer
1






active

oldest

votes








1 Answer
1






active

oldest

votes









active

oldest

votes






active

oldest

votes









6













$begingroup$

No, don't do that. You seem to be filtering and escaping values out of paranoia rather than understanding what exactly would lead to a vulnerability. As a result, you are corrupting your data.



A well designed application should use the database to store the value that the user typed into the textarea, not some mangled representation of it. If you mangle the data like that before storing it, then:



  • Certain characters that the user typed get dropped. (What if the user input is x + 3 < 5? The data would no longer make sense after you drop the < character.)

  • Your database is not reliably searchable. (What if the user input is She said "yes!"? Then you would store a value in the database with &quot; in it.)

  • If you arbitrarily apply escaping to string just in case, then you'll have a hard time keeping track of how to unescape it correctly when regurgitating the data. (This often leads to bugs where the user sees garbage like his &amp; hers, or even worse, his &amp;amp; hers.)

What's the right way? Don't mangle the data; just store it faithfully:



// store the content
$addPostStmt = $conn -> prepare("
 INSERT INTO posts(description) VALUES (?)
");

$addPostStmt -> bind_param("s", $_POST['userinput']); 
$addPostStmtExecute = $addPostStmt -> execute();


When outputting the data as HTML, apply HTML escaping:



<th>Description:</th><td><?php echo htmlspecialchars($description); ?></td>





share|improve this answer











$endgroup$














  • $begingroup$
    escaping values out of paranoia, that is correct tbh. As i dont have a alot of experience with php and mysql, i chose to be very careful to what to add to my database. 1. < and > does not get used usually when writing content like articles and description. So i thought it would be safer to remove it. The content wont be related to math but i see your point. But instead of filtering out these character, is ok to filter <script instead in case someday i forgot to use htmlspecialchars
    $endgroup$
    – pabloBar
    Aug 10 at 21:35











  • $begingroup$
    2. and 3. True and i completely agree, but the reason i chose to do it like that is because i was not really certain if there where any magical/non-visible character that might cause a problem with sql. But as long i am using prepared statments i guess i should be fine. Are there edge case scenarios that i should be aware of, where having quote characters in the database might be dangerous?
    $endgroup$
    – pabloBar
    Aug 10 at 21:36







  • 2




    $begingroup$
    Nothing more to worry about. You're using the database API correctly. Just trust that it does the right thing, and don't apply any extra data-corrupting transformations. As long you call htmlspecialchars() when outputting the string as HTML, that will correctly take care of XSS concerns.
    $endgroup$
    – 200_success
    Aug 10 at 23:06










  • $begingroup$
    just a side question, why did you drop the ENT_SUBSTITUTE flag ?
    $endgroup$
    – pabloBar
    Aug 11 at 20:30










  • $begingroup$
    Because html_entity_decode() should be unnecessary altogether, if you don't apply a superfluous round of encoding with htmlentities().
    $endgroup$
    – 200_success
    Aug 12 at 2:00















6













$begingroup$

No, don't do that. You seem to be filtering and escaping values out of paranoia rather than understanding what exactly would lead to a vulnerability. As a result, you are corrupting your data.



A well designed application should use the database to store the value that the user typed into the textarea, not some mangled representation of it. If you mangle the data like that before storing it, then:



  • Certain characters that the user typed get dropped. (What if the user input is x + 3 < 5? The data would no longer make sense after you drop the < character.)

  • Your database is not reliably searchable. (What if the user input is She said "yes!"? Then you would store a value in the database with &quot; in it.)

  • If you arbitrarily apply escaping to string just in case, then you'll have a hard time keeping track of how to unescape it correctly when regurgitating the data. (This often leads to bugs where the user sees garbage like his &amp; hers, or even worse, his &amp;amp; hers.)

What's the right way? Don't mangle the data; just store it faithfully:



// store the content
$addPostStmt = $conn -> prepare("
 INSERT INTO posts(description) VALUES (?)
");

$addPostStmt -> bind_param("s", $_POST['userinput']); 
$addPostStmtExecute = $addPostStmt -> execute();


When outputting the data as HTML, apply HTML escaping:



<th>Description:</th><td><?php echo htmlspecialchars($description); ?></td>





share|improve this answer











$endgroup$














  • $begingroup$
    escaping values out of paranoia, that is correct tbh. As i dont have a alot of experience with php and mysql, i chose to be very careful to what to add to my database. 1. < and > does not get used usually when writing content like articles and description. So i thought it would be safer to remove it. The content wont be related to math but i see your point. But instead of filtering out these character, is ok to filter <script instead in case someday i forgot to use htmlspecialchars
    $endgroup$
    – pabloBar
    Aug 10 at 21:35











  • $begingroup$
    2. and 3. True and i completely agree, but the reason i chose to do it like that is because i was not really certain if there where any magical/non-visible character that might cause a problem with sql. But as long i am using prepared statments i guess i should be fine. Are there edge case scenarios that i should be aware of, where having quote characters in the database might be dangerous?
    $endgroup$
    – pabloBar
    Aug 10 at 21:36







  • 2




    $begingroup$
    Nothing more to worry about. You're using the database API correctly. Just trust that it does the right thing, and don't apply any extra data-corrupting transformations. As long you call htmlspecialchars() when outputting the string as HTML, that will correctly take care of XSS concerns.
    $endgroup$
    – 200_success
    Aug 10 at 23:06










  • $begingroup$
    just a side question, why did you drop the ENT_SUBSTITUTE flag ?
    $endgroup$
    – pabloBar
    Aug 11 at 20:30










  • $begingroup$
    Because html_entity_decode() should be unnecessary altogether, if you don't apply a superfluous round of encoding with htmlentities().
    $endgroup$
    – 200_success
    Aug 12 at 2:00













6














6










6







$begingroup$

No, don't do that. You seem to be filtering and escaping values out of paranoia rather than understanding what exactly would lead to a vulnerability. As a result, you are corrupting your data.



A well designed application should use the database to store the value that the user typed into the textarea, not some mangled representation of it. If you mangle the data like that before storing it, then:



  • Certain characters that the user typed get dropped. (What if the user input is x + 3 < 5? The data would no longer make sense after you drop the < character.)

  • Your database is not reliably searchable. (What if the user input is She said "yes!"? Then you would store a value in the database with &quot; in it.)

  • If you arbitrarily apply escaping to string just in case, then you'll have a hard time keeping track of how to unescape it correctly when regurgitating the data. (This often leads to bugs where the user sees garbage like his &amp; hers, or even worse, his &amp;amp; hers.)

What's the right way? Don't mangle the data; just store it faithfully:



// store the content
$addPostStmt = $conn -> prepare("
 INSERT INTO posts(description) VALUES (?)
");

$addPostStmt -> bind_param("s", $_POST['userinput']); 
$addPostStmtExecute = $addPostStmt -> execute();


When outputting the data as HTML, apply HTML escaping:



<th>Description:</th><td><?php echo htmlspecialchars($description); ?></td>





share|improve this answer











$endgroup$



No, don't do that. You seem to be filtering and escaping values out of paranoia rather than understanding what exactly would lead to a vulnerability. As a result, you are corrupting your data.



A well designed application should use the database to store the value that the user typed into the textarea, not some mangled representation of it. If you mangle the data like that before storing it, then:



  • Certain characters that the user typed get dropped. (What if the user input is x + 3 < 5? The data would no longer make sense after you drop the < character.)

  • Your database is not reliably searchable. (What if the user input is She said "yes!"? Then you would store a value in the database with &quot; in it.)

  • If you arbitrarily apply escaping to string just in case, then you'll have a hard time keeping track of how to unescape it correctly when regurgitating the data. (This often leads to bugs where the user sees garbage like his &amp; hers, or even worse, his &amp;amp; hers.)

What's the right way? Don't mangle the data; just store it faithfully:



// store the content
$addPostStmt = $conn -> prepare("
 INSERT INTO posts(description) VALUES (?)
");

$addPostStmt -> bind_param("s", $_POST['userinput']); 
$addPostStmtExecute = $addPostStmt -> execute();


When outputting the data as HTML, apply HTML escaping:



<th>Description:</th><td><?php echo htmlspecialchars($description); ?></td>






share|improve this answer














share|improve this answer



share|improve this answer








edited Aug 10 at 23:06

























answered Aug 10 at 17:05









200_success200_success

135k21 gold badges173 silver badges443 bronze badges




135k21 gold badges173 silver badges443 bronze badges














  • $begingroup$
    escaping values out of paranoia, that is correct tbh. As i dont have a alot of experience with php and mysql, i chose to be very careful to what to add to my database. 1. < and > does not get used usually when writing content like articles and description. So i thought it would be safer to remove it. The content wont be related to math but i see your point. But instead of filtering out these character, is ok to filter <script instead in case someday i forgot to use htmlspecialchars
    $endgroup$
    – pabloBar
    Aug 10 at 21:35











  • $begingroup$
    2. and 3. True and i completely agree, but the reason i chose to do it like that is because i was not really certain if there where any magical/non-visible character that might cause a problem with sql. But as long i am using prepared statments i guess i should be fine. Are there edge case scenarios that i should be aware of, where having quote characters in the database might be dangerous?
    $endgroup$
    – pabloBar
    Aug 10 at 21:36







  • 2




    $begingroup$
    Nothing more to worry about. You're using the database API correctly. Just trust that it does the right thing, and don't apply any extra data-corrupting transformations. As long you call htmlspecialchars() when outputting the string as HTML, that will correctly take care of XSS concerns.
    $endgroup$
    – 200_success
    Aug 10 at 23:06










  • $begingroup$
    just a side question, why did you drop the ENT_SUBSTITUTE flag ?
    $endgroup$
    – pabloBar
    Aug 11 at 20:30










  • $begingroup$
    Because html_entity_decode() should be unnecessary altogether, if you don't apply a superfluous round of encoding with htmlentities().
    $endgroup$
    – 200_success
    Aug 12 at 2:00
















  • $begingroup$
    escaping values out of paranoia, that is correct tbh. As i dont have a alot of experience with php and mysql, i chose to be very careful to what to add to my database. 1. < and > does not get used usually when writing content like articles and description. So i thought it would be safer to remove it. The content wont be related to math but i see your point. But instead of filtering out these character, is ok to filter <script instead in case someday i forgot to use htmlspecialchars
    $endgroup$
    – pabloBar
    Aug 10 at 21:35











  • $begingroup$
    2. and 3. True and i completely agree, but the reason i chose to do it like that is because i was not really certain if there where any magical/non-visible character that might cause a problem with sql. But as long i am using prepared statments i guess i should be fine. Are there edge case scenarios that i should be aware of, where having quote characters in the database might be dangerous?
    $endgroup$
    – pabloBar
    Aug 10 at 21:36







  • 2




    $begingroup$
    Nothing more to worry about. You're using the database API correctly. Just trust that it does the right thing, and don't apply any extra data-corrupting transformations. As long you call htmlspecialchars() when outputting the string as HTML, that will correctly take care of XSS concerns.
    $endgroup$
    – 200_success
    Aug 10 at 23:06










  • $begingroup$
    just a side question, why did you drop the ENT_SUBSTITUTE flag ?
    $endgroup$
    – pabloBar
    Aug 11 at 20:30










  • $begingroup$
    Because html_entity_decode() should be unnecessary altogether, if you don't apply a superfluous round of encoding with htmlentities().
    $endgroup$
    – 200_success
    Aug 12 at 2:00















$begingroup$
escaping values out of paranoia, that is correct tbh. As i dont have a alot of experience with php and mysql, i chose to be very careful to what to add to my database. 1. < and > does not get used usually when writing content like articles and description. So i thought it would be safer to remove it. The content wont be related to math but i see your point. But instead of filtering out these character, is ok to filter <script instead in case someday i forgot to use htmlspecialchars
$endgroup$
– pabloBar
Aug 10 at 21:35





$begingroup$
escaping values out of paranoia, that is correct tbh. As i dont have a alot of experience with php and mysql, i chose to be very careful to what to add to my database. 1. < and > does not get used usually when writing content like articles and description. So i thought it would be safer to remove it. The content wont be related to math but i see your point. But instead of filtering out these character, is ok to filter <script instead in case someday i forgot to use htmlspecialchars
$endgroup$
– pabloBar
Aug 10 at 21:35













$begingroup$
2. and 3. True and i completely agree, but the reason i chose to do it like that is because i was not really certain if there where any magical/non-visible character that might cause a problem with sql. But as long i am using prepared statments i guess i should be fine. Are there edge case scenarios that i should be aware of, where having quote characters in the database might be dangerous?
$endgroup$
– pabloBar
Aug 10 at 21:36





$begingroup$
2. and 3. True and i completely agree, but the reason i chose to do it like that is because i was not really certain if there where any magical/non-visible character that might cause a problem with sql. But as long i am using prepared statments i guess i should be fine. Are there edge case scenarios that i should be aware of, where having quote characters in the database might be dangerous?
$endgroup$
– pabloBar
Aug 10 at 21:36





2




2




$begingroup$
Nothing more to worry about. You're using the database API correctly. Just trust that it does the right thing, and don't apply any extra data-corrupting transformations. As long you call htmlspecialchars() when outputting the string as HTML, that will correctly take care of XSS concerns.
$endgroup$
– 200_success
Aug 10 at 23:06




$begingroup$
Nothing more to worry about. You're using the database API correctly. Just trust that it does the right thing, and don't apply any extra data-corrupting transformations. As long you call htmlspecialchars() when outputting the string as HTML, that will correctly take care of XSS concerns.
$endgroup$
– 200_success
Aug 10 at 23:06












$begingroup$
just a side question, why did you drop the ENT_SUBSTITUTE flag ?
$endgroup$
– pabloBar
Aug 11 at 20:30




$begingroup$
just a side question, why did you drop the ENT_SUBSTITUTE flag ?
$endgroup$
– pabloBar
Aug 11 at 20:30












$begingroup$
Because html_entity_decode() should be unnecessary altogether, if you don't apply a superfluous round of encoding with htmlentities().
$endgroup$
– 200_success
Aug 12 at 2:00




$begingroup$
Because html_entity_decode() should be unnecessary altogether, if you don't apply a superfluous round of encoding with htmlentities().
$endgroup$
– 200_success
Aug 12 at 2:00

















draft saved

draft discarded
















































Thanks for contributing an answer to Code Review Stack Exchange!


  • Please be sure to answer the question. Provide details and share your research!

But avoid


  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.

Use MathJax to format equations. MathJax reference.


To learn more, see our tips on writing great answers.




draft saved


draft discarded














StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcodereview.stackexchange.com%2fquestions%2f225894%2fphp-santization-of-textarea-input%23new-answer', 'question_page');

);

Post as a guest















Required, but never shown





















































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown

































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown







-

Popular posts from this blog

Get product attribute by attribute group code in magento 2get product attribute by product attribute group in magento 2Magento 2 Log Bundle Product Data in List Page?How to get all product attribute of a attribute group of Default attribute set?Magento 2.1 Create a filter in the product grid by new attributeMagento 2 : Get Product Attribute values By GroupMagento 2 How to get all existing values for one attributeMagento 2 get custom attribute of a single product inside a pluginMagento 2.3 How to get all the Multi Source Inventory (MSI) locations collection in custom module?Magento2: how to develop rest API to get new productsGet product attribute by attribute group code ( [attribute_group_code] ) in magento 2

Image
Is it safe to keep the GPU on 100% utilization for a very long time? What happens when the drag force exceeds the weight of an object falling into earth? shebang or not shebang The unknown and unexplained in science fiction Are wands in any sort of book going to be too much like Harry Potter? How do I minimise waste on a flight? Concatenate all values of the same XML element using XPath/XQuery Did any early RISC OS precursor run on the BBC Micro? Single supply non-inverting amplifier using op amp Employee is self-centered and affects the team negatively Why always 4...dxc6 and not 4...bxc6 in the Ruy Lopez Exchange? TikZ/PGF draw algorithm Learning how to read schematics, questions about fractional voltage in schematic How can I test a shell script in a "safe environment" to avoid harm to my computer? A♭ major 9th chord in Bach is unexpectedly dissonant/jazzy What detail can Hubble see on Mars? Drug Testing and Prescribed Medications Justific
Read more

Category:9 (number) SubcategoriesMedia in category "9 (number)"Navigation menuUpload mediaGND ID: 4485639-8Library of Congress authority ID: sh85091979ReasonatorScholiaStatistics

Image
Natural numbersSquare numbersCategories requiring diffusion Help Category:9 (number) From Wikimedia Commons, the free media repository Jump to navigation Jump to search number: 9 (nine) instance of: natural number, deficient number, square number, composite number, odd number, centered cube number, centered octagonal number and nonagonal number other integers: -8 • -4 • -2 • -1 • 0 • 1 • 2 • 3 • 4 • 5 • 6 • 7 • 8 • 9 • 10 • 11 • 12 • 13 • 14 • 15 • 16 • 17 • 18 • 19 • 20 • 21 • 22 • 23 • 24 • 25 • 26 • 27 • 28 • 29 -20 • 0 • 10 • 20 • 30 • 40 • 50 • 60 • 70 • 80 • 90 • 100 • 110 • 120 • 130 • 140 • 150 • 160 • 170 • 180 • 190 • 200 This category has become too crowded. It should list very few images directly. Files should be moved to subcategories where appropriate. New subcategories can be created. Some files need to be moved elsewhere. Search for more categories: fulltext, Main Page, topics, meta categories. Please remove or replace this tag
Read more

Magento 2.3: How do i solve this, Not registered handle, on custom form?How can i rewrite TierPrice Block in Magento2magento 2 captcha not rendering if I override layout xmlmain.CRITICAL: Plugin class doesn't existMagento 2 : Problem while adding custom button order view page?Magento 2.2.5: Overriding Admin Controller sales/orderMagento 2.2.5: Add, Update and Delete existing products Custom OptionsMagento 2.3 : File Upload issue in UI Component FormMagento2 Not registered handleHow to configured Form Builder Js in my custom magento 2.3.0 module?Magento 2.3. How to create image upload field in an admin form

Image
2000s (or earlier) cyberpunk novel: dystopia, mega storm, omnipresent noise How important is it for multiple POVs to run chronologically? PhD: When to quit and move on? Motorcyle Chain needs to be cleaned every time you lube it? Why do most airliners have underwing engines, while business jets have rear-mounted engines? How to supply water to a coastal desert town with no rain and no freshwater aquifers? How come a desk dictionary be abridged? What's the big deal about the Nazgûl losing their horses? Is this standard Japanese employment negotiations, or am I missing something? Should I increase my 401(k) contributions, or increase my mortgage payments Is there a way to change the aspect ratio of a DNG file? Why is there paternal, for fatherly, fraternal, for brotherly, but no similar word for sons? What can a novel do that film and TV cannot? Is conquering your neighbors to fight a greater enemy a valid strategy? /api/sitecore is not working in CD server
Read more