What is the standard for when to escape text in PHP?

Question

I have a user input field which will be stored into a 'tinytext' field in a MySQL database; pretty standard stuff. I am wondering if there is some sort of standard or best-practice to adhere to when it comes to escaping html special characters using the php function htmlentities()?

Should I use htmlentities() before I store the data in the database or should I run the function on the data ever time it is output from the website?

@John Conde, bit of a newb question but how do you do that thing to make inline code look good? I was trying to and couldn't figure it out :P — Gricey, Aug 08 '12 at 10:43
Just edit your question and you'll see how I formatted it. I just added backticks ` around any text I wanted to highlighh as code — John Conde, Aug 08 '12 at 10:47

score 3 · Accepted Answer · edited May 23 '17 at 12:20

3

There is usually no reason to use htmlentities() at all any more. Just store everything in UTF-8 fields and adhere to UTF-8 all the way through.

When outputting unsafe user input as HTML, use htmlspecialchars(), ideally at the time of output so you have a copy of the original data.

edited May 23 '17 at 12:20

Community

1
1

answered Aug 08 '12 at 10:43

Pekka

442,112
142
972
1,088

Good point about having a copy of the original data, good practice to keep good records – Gricey Aug 08 '12 at 10:44

What is the standard for when to escape text in PHP?

1 Answers1