Is It Better To Escape/encode The User Input Before Storing It To Database Or To Store It As It Is In Database And Escape It While Retrieving?
Solution 1:
- Why do you expect that you will always use the data in an HTML context? "I <3 you" and "I <3 you" is not the same data. Therefore, store the data as it's intended in the database. There's no reason to store it escaped.
HTML escaping the data when and only when necessary gives you the confidence to know what you're doing. This:
echo htmlspecialchars($data);is a lot better than:
echo $data; // The data should already come escaped from the database. // I hope.
Solution 2:
An even better reason is that on truncating to fit a certain space you'll get stuck with abominations such as "&quo...". Resist the temptation to fiddle with your data more than the minimum required. If you're worried about reprocessing the data, cache it.
Solution 3:
My recommendation is to store the data in the database in its purest form. The only reason you want to convert it into <script> is because you'll need to display it in a HTML document later. But the database itself doesn't have a need to know about what you do with the data after you retrieve it.
Solution 4:
As well as XSS attacks, shouldn't you also be worried about SQL injection attacks if you're putting user input into a database? In which case, you will want to escape the user input BEFORE putting it into the database anyway.
Post a Comment for "Is It Better To Escape/encode The User Input Before Storing It To Database Or To Store It As It Is In Database And Escape It While Retrieving?"