1

Is it possible to create a trigger that, upon inserting or updating a row, can use the REPLACE function to replace characters with their escaped equivalents (specifically, making input html safe) for all the columns in the table without having to know all the field names (so that this function can be applied to multiple tables). I agree 115% that this sort of thing should always be done at the application level, but due to unique circumstances I'd like to add this as a failsafe at the database level.

I'm very new to triggers, so take it easy on me, but I want to do something to the effect of:

create trigger if not exists makeHTMLsafe after insert on tablename
begin
  loop over all columns in tablename   
    new.value = REPLACE(old.value,"<","&lt;")
end
tony
  • 11
  • 2

1 Answers1

0

Escaping is complicated and error-prone.
You should never try to roll your own escaping function, it is just to risky.

Instead of making things more secure you will make then far less secure.
Use the specialized html escaping functions in your front-end.

When using php, htmlentities is your best bet:

http://php.net/manual/en/function.htmlentities.php
See also: What are the best practices for avoiding xss attacks in a PHP site

Community
  • 1
  • 1
Johan
  • 74,508
  • 24
  • 191
  • 319