4

I need to convert my strings to special characters using:

 htmlspecialchars

My question is, should I convert my data before submitting it to a database or should I convert it before I display it?

panthro
  • 22,779
  • 66
  • 183
  • 324

4 Answers4

7

You should sanitize data before inserting it into a database, and escape it on retrieval.

htmlspecialchars is used for escaping, so it should be after you’ve fetched it from the database.

Martin Bean
  • 38,379
  • 25
  • 128
  • 201
2

It makes the data safe to insert into an HTML document. Use it before you insert it into an HTML document, not a database.

Quentin
  • 914,110
  • 126
  • 1,211
  • 1,335
2

It's generally the better idea to not modify source data before storing it. It will tie your data to the specific context you're using it in. What if you ever need a different way of displaying it, e.g. in a PDF, or text format? Then you will have the html entities in your text and would need to convert them back.

IMHO Performance considerations are secondary in this regards, one can still make use of caching technologies for views for this.

So, on the bottom line I suggest you always prepare your strings before display.

joerx
  • 2,028
  • 1
  • 16
  • 18
2

I'm assuming the data is already escaped sanitised before you put it into the database so it is safe. From there, I try to change the data as little as possible on the way to the database.

The thing to remember is that maybe you're using the copy now on your website, but later down the line you may like to use it on a different device or on print. If you use htmlspecialchars before it goes to the database, you'll have to clean it up if you want to use it for something other than HTML. Formatting dates as strings before putting them into a database is a common one, but when you want to change the format...

dKen
  • 3,078
  • 1
  • 28
  • 37