How to properly deactivate data received from a text area when it is returned to the text area?

Question

How to properly deactivate data received from a text area when it is returned to the text area?

The user enters text in the text box. Then it is inserted directly into the mySQL database. I use trim, htmlentities, mysql_real_escape_string, and I have magic quotes. How should I misinform him when returning this data to a text box?

Thank you for your help. I was never too sure of the right way to do this ...

+7

html php mysql forms sanitization

Joel verhagen Feb 27 '09 at 1:47

source share

2 answers

In addition to Paolo, answer when to use htmlentities() , if you are not using an old version of PHP, the correct disinfection method to insert into mysql database is to use Prepared reports , which are part of the mysqli extension . This replaces any need for using mysql_real_escape_string() .

Also, I think you have things.

+2

Chad birch Feb 27 '09 at 2:00

source share

Paolo bergantino · Accepted Answer · 2009-02-27T01:51:13+0000

You can not use htmlentities when saving it. You must use htmlentities when displaying it. The rule of thumb is not to encode / misinform data until you need it. If you execute htmlentities on it while saving, you need to do html_entity_decode in the text when the user wants to edit the input. Therefore, you sanitize for what you need, and nothing more. When saving it, you need to perform a sanation for SQL injection, so you mysql_real_escape_string it. When displaying you need to sanitize XSS, so you htmlentities it.

Also, I'm not sure if you saw Darryl Hein's comment, but you really don't want magic_quotes to be included. They are bad, bad, something and are deprecated from PHP 5.3 and generally disappear in PHP 6.

How to properly deactivate data received from a text area when it is returned to the text area?

More articles: