Welcome to OStack Knowledge Sharing Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
481 views
in Technique[技术] by (71.8m points)

php - Should htmlspecialchars() be used on information on input or just before output?

I take $_POST information and store it in a DB and later on query and print this information to the user. Should I use htmlspecialchars() before inserting this info or after I query it before I output it?

In addition I need the ability for users to have the ability to use quotes and other everyday special chars. I know I can use the flag ENT_NOQUOTES but it feels like if I do that it leaves security holes.

My site allows Bbcode and I want users to be able to use everyday characters without having to see "amp;lt;<?>&".

Patience with me <--- noob is encouraged! Thanks :D

See Question&Answers more detail:os

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Answer

0 votes
by (71.8m points)

Should I use htmlspecialchars() before inserting this info or after I query it before I output it?

Escape data for the target code just before you insert it. i.e. Just before you output it.

This means that you will keep the data in its original form for other purposes (e.g. outputting to the user for editing, including in an email, generating a PDF, searching, etc)

In addition I need the ability for users to have the ability to use quotes and other everyday special chars. I know I can use the flag ENT_NOQUOTES but it feels like if I do that it leaves security holes.

htmlspecialchars() will convert quotes in the inputted data into HTML. So you don't need to do anything special.

My site allows Bbcode

Then you need to have a proper BBCode parser.


与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome to OStack Knowledge Sharing Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

...