PHP & mySQL: When exactly to use htmlentities?

by

Here’s the general rule of thumb.

Escape variables at the last possible moment.

You want your variables to be clean representations of the data. That is, if you are trying to store the last name of someone named “O’Brien”, then you definitely don’t want these:

O'Brien
O\'Brien

.. because, well, that’s not his name: there’s no ampersands or slashes in it. When you take that variable and output it in a particular context (eg: insert into an SQL query, or print to a HTML page), that is when you modify it.

$name = "O'Brien";

$sql = "SELECT * FROM people "
     . "WHERE lastname="" . mysql_real_escape_string($name) . """;

$html = "<div>Last Name: " . htmlentities($name, ENT_QUOTES) . "</div>";

You never want to have htmlentities-encoded strings stored in your database. What happens when you want to generate a CSV or PDF, or anything which isn’t HTML?

Keep the data clean, and only escape for the specific context of the moment.

More Related Contents:

  1. What to put in database columns when creating registration/login system? (xampp)
  2. mysql_fetch_array()/mysql_fetch_assoc()/mysql_fetch_row()/mysql_num_rows etc… expects parameter 1 to be resource
  3. How to properly set up a PDO connection
  4. Query with multiple values in a column
  5. Using PHP 5.5’s password_hash and password_verify function
  6. Search with comma-separated value mysql
  7. How to do this in Laravel, subquery where in
  8. I have an array of integers, how do I use each one in a mysql query (in php)? [duplicate]
  9. Levenshtein: MySQL + PHP
  10. How can I loop through a MySQL result set more than once using the mysql_* functions?
  11. PHP MySQLI Prevent SQL Injection [duplicate]
  12. mysql PDO how to bind LIKE
  13. How do i “echo” a “Resource id #6” from a MySql response in PHP?
  14. mysqli_fetch_array() expects parameter 1 to be mysqli_result, boolean given in [duplicate]
  15. Does mysql_real_escape_string() FULLY protect against SQL injection?
  16. How do I give each registered user their own url using PHP?
  17. MySQL “NOT IN” query 3 tables
  18. Recursive categories with a single query?
  19. LOAD DATA LOCAL INFILE forbidden in… PHP
  20. How get all values in a column using PHP?
  21. Why does this return Resource id #2? [duplicate]
  22. In PHP with PDO, how to check the final SQL parametrized query? [duplicate]
  23. Dynamically create PHP object based on string
  24. Insert current date in datetime format mySQL
  25. How to build unlimited level of menu through PHP and mysql
  26. SQLSTATE[HY000] [2002] php_network_getaddresses: getaddrinfo failed: nodename nor servname provided, or not known
  27. select within 20 kilometers based on latitude/longitude
  28. Mysqli multiple row insert, simple multi insert query [duplicate]
  29. Updating column so that it contains the row position
  30. Improve password hashing with a random salt

Leave a Comment