I'm developing a PHP front-end for a review site. The data submitted by the user will be processed by PHP and submitted to MySQL database.
In order to prevent unexpected entries, we would apply htmlentities() to the user input before doing mysql_real_escape_string().
This is to say, for example, if the user enters:
We want the text to be encoded to (pardon the spaces between & and the entity):
Such that when viewed from a browser, instead of displaying the comment in bold (due to <strong></strong> ) , we want the text to be displayed as is. That is: Shown literally as <strong>This & that - it's all "your choice"</strong>
Now the question is, when is the better time to apply htmlentities()?
1. When the user enters the text, the PHP script will do the htmlentities(), then store the encoded text into database. With this, the text don't need to be encoded everytime we display the text.
2. When the user enters the text, the entry is submitted to the database as is. Only when the text is displayed then we do the encoding with htmlentities() called to the data.
Of course there are dis/advantages to both approach. Let's say if someday we change our development such that the user's review are to be displayed in full HTML (that is - to show the above text as bold), we will then have to do html_entity_decode() on all the texts IF we choose to store using method #1.
However, if the data is stored using method #2, then we just read out the text from database and display them as is.
So, what's your opinion on this?
Should the data be encoded before submitting to database, or when it's displayed?
Any performance or security concern if we choose to apply either one of the method?
Or is there better way to store the data and still open for future changes?
thanks.
-stndn.
edit:
modified the second line to show the &-encoded texts
In order to prevent unexpected entries, we would apply htmlentities() to the user input before doing mysql_real_escape_string().
This is to say, for example, if the user enters:
We want the text to be encoded to (pardon the spaces between & and the entity):
Such that when viewed from a browser, instead of displaying the comment in bold (due to <strong></strong> ) , we want the text to be displayed as is. That is: Shown literally as <strong>This & that - it's all "your choice"</strong>
Now the question is, when is the better time to apply htmlentities()?
1. When the user enters the text, the PHP script will do the htmlentities(), then store the encoded text into database. With this, the text don't need to be encoded everytime we display the text.
2. When the user enters the text, the entry is submitted to the database as is. Only when the text is displayed then we do the encoding with htmlentities() called to the data.
Of course there are dis/advantages to both approach. Let's say if someday we change our development such that the user's review are to be displayed in full HTML (that is - to show the above text as bold), we will then have to do html_entity_decode() on all the texts IF we choose to store using method #1.
However, if the data is stored using method #2, then we just read out the text from database and display them as is.
So, what's your opinion on this?
Should the data be encoded before submitting to database, or when it's displayed?
Any performance or security concern if we choose to apply either one of the method?
Or is there better way to store the data and still open for future changes?
thanks.
-stndn.
edit:
modified the second line to show the &-encoded texts