Reputation: 40175
Can I "unsanitize" during a PDO SELECT?
I am coding both client & server. The user inputs data in the browser, which is sent to my PHP code on the server.
I use filter_input_array on $_GET[] with FILTER_SANITIZE_STRING on the "name" field.
O'Reilly becomes O'Reilly, and this is stored in the database.
Of course, the next time the client fetches the data and displays it in the browser, the user complains.
Is there any way to "unsanitize" when I SELECT the data from the MySql database using PDO?
Upvotes: 0
Views: 115
Answers (1)
Reputation: 31173
When saving data in the database the proper way is to store the data as it is used, meaning with the ' as is. Then you don't need to do anything to the data when it is displayed.
You can use the FILTER_FLAG_NO_ENCODE_QUOTES flag to disable encoding for " or ' in the string. If you want to just get rid of HTML tags you can also use strip_tags() function instead for that value.
You always want to use parameters in the queries since that helps with SQL injection issues, but whether you want to strip tags, sanitize input or something else depends on what you want to do with the data. So sometimes you just use parameters, sometimes also sanitize.
Upvotes: 1
Related Questions
- How to sanitize the query?
- How do I sanitize input with PDO?
- Pass sanitized input as column name in where clause
- Do I have to sanitize user input with prepared SQL statements?
- Do I need to sanitize results from database query?
- Using PDO without binding
- Correct way to sanitize input in MySQL using PDO
- Sanitizing Form Input in PDO-based Query
- PHP PDO Sanitize variables
- sanitizing variables with PDO