7

I wonder if there's any downside or bad practice in doing the following procedure:

  1. $user_input -> htmlentities($user_input) -> mysql_escape($user_input) -> insert $user_input into DB
  2. Select $user_input from DB -> echo $user_input

instead of doing the following:

  1. $user_input -> mysql_escape($user_input) -> insert $user_input into DB
  2. Select $user_input from DB -> echo htmlentities($user_input)

As we display the same $user_input on a lot of places it feels more efficient do to it on the input instead, are there any downsides / bad practice / exploit-ability in doing it this way?

Cheers!

Good replies to the question from:

@Matt: In general, to keep things readable and maintainable, try to store it as close to the original, unfiltered content as possible. It depends on two things: Is any other person/program going to reference this data? Does the data need to be easily editable?

@Sjoerd: There is a downside if you want to display the data as something else than HTML, e.g. a CSV download, PDF, etc.

Improve this question

3 Answers 3

Reset to default
3

It depends on two things:

  • Is any other person/program going to reference this data?
  • Does the data need to be easily editable?

The advantage of method one is that, in the case that the data is used in one place, and htmlentities() would be called every time, you'd be saving this step.

However, this would only leave a notable improvement if the HTML data is very large. In general, to keep things readable and maintainable, try to store it as close to the original, unfiltered content as possible.

In fact, you might find that HTML is the wrong thing to store anyway. It might be better to store something like Markdown and simply convert it to HTML when viewed.

Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

Thanks, for this specific application the data is comments on products, ie user ratings in a shopcart and I want to protect against XSS attacks. So XSS attack avoidance is the focus here..
Is any other person/program going to reference this data? - No at the moment, however maybe later through APIs. Does the data need to be easily editable? - Users should be able to edit their comments
@samuelf - I would suggest you store the HTML as-is (though you still need to mysql_escape to avoid SQL injections). Calling htmlentities at request-time should not be a large impact.
3

I'd advice against it. If you ever need that data for anything other than displaying it as HTML (display in console, send in text email, write to log, etc) , you'll have to convert it back.

A good practice is to apply such transformations only at the last moment. Use mysql_escape before inserting into the database, use htmlentities (or htmlspecialchars) before displaying as HTML. That way you always know where your escape functions should be. If they're not there, you can easily tell you're doing something wrong. You also know that data in the database is always clean and you don't need to remember if you encoded it, what with and how to turn it back.

Improve this answer

Comments

1

There is a downside if you want to display the data as something else than HTML, e.g. a CSV download, PDF, etc.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.