This might be a stupid question but after all the research on best practices – including this great SO post that explains sanitizing, validation, escaping for storage and escaping for display – I am still confused.
I have built a routine where I sanitize user input – say, a comment post, or "edit my first name" string – with $value = filter_var($value, FILTER_SANITIZE_STRING);. Given a value of <a href="https://buy.my.stuff/">O'Hara</a>, that gets rid of <a></a> and similar tags nicely. Then this new value gets validated: error if empty value and field is not nullable; or if too long; etc. Lastly, I save that value in the DB using a CakePHP query builder – which, of course, supports binding string values.
But when I then save that value in the DB, it is saved as O'Hara instead of O'Hara – because of said sanitization.
- Am I supposed to decode it back / to yet another format? If so with which method?
- Or, am I to use the sanitized version for validation but then the original value for DB stora-- that can't be it.
- Or is
FILTER_SANITIZE_STRINGa flag I need to tweak? The tutorials I've seen [1] [2] suggest that the flag is enough.
I feel so dumb because that great post mentioned earlier seems to still not be enough for me. All I can find are posts from ~2012 that say you should bind.
Any help would be appreciated.
