Reputation: 1075
is it better to escape/encode the user input before storing it to database or to store it as it is in database and escape it while retrieving?
I am using htmlspecialchars() function to prevent XSS attacks. I have doubt regarding what is the better method to store the data in database from following.
Method 1 : Store the user input values after applying htmlspecialchars() function. Using this it user input "<script>" will become "<script>" .
Method 2 : Store the user input as it is and apply htmlspecialchars() method while retrieving the data and displaying it on the page.
The reason for my doubt is that I believe using method 1 there will be overhead on database, while using method 2 data need to be converted again and again when requested through php. So I am not sure which one is better.
For more information, I am using htmlspecialchars($val, ENT_QUOTES, "UTF-8") so that will convert ' and " as well.
Please help me clear my doubt. Also provide explanation if possible.
Thanks.
Upvotes: 7
Views: 3658
Answers (4)
Reputation: 46559
My recommendation is to store the data in the database in its purest form. The only reason you want to convert it into <script> is because you'll need to display it in a HTML document later. But the database itself doesn't have a need to know about what you do with the data after you retrieve it.
Upvotes: 4
Reputation: 522081
- Why do you expect that you will always use the data in an HTML context? "I <3 you" and "I <3 you" is not the same data. Therefore, store the data as it's intended in the database. There's no reason to store it escaped.
HTML escaping the data when and only when necessary gives you the confidence to know what you're doing. This:
echo htmlspecialchars($data);is a lot better than:
echo $data; // The data should already come escaped from the database. // I hope.
Upvotes: 13
Reputation: 1035
As well as XSS attacks, shouldn't you also be worried about SQL injection attacks if you're putting user input into a database? In which case, you will want to escape the user input BEFORE putting it into the database anyway.
Upvotes: -1
Reputation: 798676
An even better reason is that on truncating to fit a certain space you'll get stuck with abominations such as "&quo...". Resist the temptation to fiddle with your data more than the minimum required. If you're worried about reprocessing the data, cache it.
Upvotes: 8
Related Questions
- Is it a bad idea to escape HTML before inserting into a database instead of upon output?
- Is it necessary to escape user submitted data being put into HTML input value?
- Should we HTML-encode special characters before storing them in the database?
- varchar vs text - MySQL
- mysqli_real_escape_string vs filter_input()? What method should I use?
- In PHP when submitting strings to the database should I take care of illegal characters using htmlspecialchars() or use a regular expression?
- Is it good to use htmlspecialchars() before Inserting into MySQL?
- htmlspecialchars or mysql_real_escape_string?
- Best practice. Do I save html tags in DB or store the html entity value?
- What's the best, Escape then store Or store then escape the output?