0

Possible Duplicate:
How should be kept as HTML tags in database?

I will store HTML code through admin page of my php program. I use prepared statements in PDO for storing. But before that, do i need to use htmlspecialchars() or htmlentities() ?

Or by storing html using prepared statement will work fine ? Any overheads later ?

Later this html is used to display as content inside a HTML page and this content from database should render as HTML itself.

Community
  • 1
  • 1
Vpp Man
  • 2,384
  • 8
  • 43
  • 74
  • And the difference between both functions http://stackoverflow.com/questions/46483/htmlentities-vs-htmlspecialchars – matino Dec 08 '11 at 12:05

3 Answers3

3

you should use htmlspecialchars on output, not when storing.. pdo will handle the safety for storing the input

mishu
  • 5,347
  • 1
  • 21
  • 39
  • basically prepared statements will handle the escaping of your strings.. you need to use something like htmlspecialchars when you output to be sure that content provided by some user doesn't get parsed, this way protecting your website from things like javascript written by your users – mishu Dec 08 '11 at 12:07
  • Quote: Later this html is used to display as content inside a HTML page and this content from database should render as HTML itself. If you use htmlspecialchars() you will get text output of the html code. – Mythli Dec 08 '11 at 12:32
  • the answer does not suggest using htmlspecialchars **every time** if that is why you choose to vote down. it just states that the purpose of the mentioned (by the op) function is to escape output, not input. this way, if you have content provided by users, you can be sure, for example, that javascript code that they save doesn't execute.. the same thing is stated in the clarification added in the first comment ("[..]that content provided by some user[..]") – mishu Dec 08 '11 at 13:08
  • You suggest to use htmlspecialchars() for displaying which does not reflect what the OP had asked for and don't mention the problematics related to the character set. Your answer more likely fits to a question with the title "How to prevent displaying html for some users". Also it is a guess that his admin panel have users and he want to prevent some of them to get html displayed. Therefore this should be written as a comment due it's an advice. I hope i have clarified my standpoint and you understand it. – Mythli Dec 08 '11 at 13:40
2

For real, in your case no precautions should be taken.

There is no need for htmlspecialchars() as you want to display html and no need to use htmlentities() if the character set of your site is equal to the one you use in your database. Also you don't have to escape the string on your own as prepared statements will take care of that.

However, htmlentities() will not cause any harm but using it is just waste of performance. The easiest way to deal with the character set is to simply use UTF-8 to avoid any conflicts.

Mythli
  • 5,995
  • 2
  • 24
  • 31
0

just refer to the old posts Store HTML into MySQL database

How to store html in a mysql database

this will give you a good solution.

Community
  • 1
  • 1
Manigandan Arjunan
  • 2,260
  • 1
  • 25
  • 42