Forums

The forums ran from 2008-2020 and are now closed and viewable here as an archive.

Home Forums Back End How to prepare a string to be inserted in a database and put in a textfield Reply To: How to prepare a string to be inserted in a database and put in a textfield

#146504
Jochim
Participant

Be aware that “using PDO” does not, in and of itself, do anything special in terms of SQL injection. Do you mean to say that you’re using prepared statements?

Yup I’m using prepared statements, sorry my bad :)

Since you’re allowing users to come back and edit things, I would suggest saving the original (non-htmlpurifier’d) content in the database alongside the “display-ready” content.

Yes I’m already saving both in the database but shouldn’t I purify the original too? It’s only echoed inside a <textfield> but what if they just put </textfield> and their ‘evil code’?

as long as you remember to clean it up before printing it.

I know htmlentities would prevent this but isn’t it better to run that function once and insert the ‘clean input’ into the database rather than calling it every time it gets requested?