Hi !
I wonder if there's any downside or bad practice in doing the following procedure:
- $user_input -> htmlentities($user_input) -> mysql_escape($user_input) -> insert $user_input into DB
- Select $user_input from DB -> echo $user_input
instead of doing the following:
- $user_input -> mysql_escape($user_input) -> insert $user_input into DB
- Select $user_input from DB -> echo htmlentities($user_input)
As we display the same $user_input on a lot of places it feels more efficient do to it on the input instead, are there any downsides / bad practice / exploit-ability in doing it this way?
Cheers!
Good replies to the question from:
@Matt: In general, to keep things readable and maintainable, try to store it as close to the original, unfiltered content as possible. It depends on two things: Is any other person/program going to reference this data? Does the data need to be easily editable?
@Sjoerd: There is a downside if you want to display the data as something else than HTML, e.g. a CSV download, PDF, etc.