I am wondering if one of the PHP pros on here could answer this question for me.
When validating user input to be put into a database like mysql, i use mysql_real_escape_string() but i also use strip_tags(), htmlentities() and trim() . My question is should i just be using mysql_real_escape_string() and if then displaying the user data on a webpage is use strip_tags() htmlentities() before it is displayed on a webpage? , i always run data through mysql_real_escape_string of course before going into database.
I am noticing quite a few scripts just use mysql_real_escape_string() when placing the data into a database and then before the data from database is output on a webpage it goes through strip_tags() and htmlentities() etc. I am not sure what is the best way to go about this, for example if i only use mysql_real_escape_string() that means i could have potential dangerous code in the database like code tags with malicious code etc that could cause harm, obviously this won't be a problem if the correct checks are done before it is outputted on a webpage but am confused how others valdiate data and in which way.
Could someone please clarify what is the best practice way for me please?
example i have guestbook, i run the $_POST data through strip_tags, htmlentities, mysql_real_escape_string before it is put in the database then i can display it on the webpage knowing no harmful code is in database, yet i see scripts doing it the opposite way and just using mysql_real_escape_string() when placing data into database and sanitizing the data then before it is displayed on a webpage like a guestbook for example.
But i do all of it before going into the database, i'm confused over it.
Security is always my top priority and just need proper clarification on this from you PHP pros out there, i am not sure what is best practice as i see so many bad scripts as i do good so never know which is the correct way.
Thanks
PHPLOVER
Last edited by phplover; Sep 2nd, 2010 at 7:09 am.
You want to filter input and escape on output.
You could also add another layer of filtering to the output if you by chance needed the data in a different way than how it is stored in the database.
e.g. If the data in the database is a validated and filtered html string and you just want the plain-text representation in a particular scenario, you could then filter it coming from the database and remove any html, then escape that output to the user.
So am i rite in thinking that i should filter input like if i am expecting just letters and numbers then i should ensure only letters and numbers have been inputted, if not obviously give an error like not valid etc but if valid then that means it has been filtered and passed the filter check so pass along to database or wherever. Then when i want to display that information on a webpage i should escape the data being outputted, obviously if you only accepted letters and numbers then that won't need escaping on output as a user could not have been able to add malicious code when filtering the data like code tags and code between the code tags, but i should escape output if i for example have a guestbook where user could enter any type of characters.
I suggest you use the validation classes from the Zend Framework or PEAR's class. Using these classes can help you write your scripts faster since you now no longer have to do extensive validation coding to your script. I suggest you use Zend Framework classes over PEAR since they have done an amazing job at giving users an amazing ammount of documentation that gives you a nice introduction to the classes and how to use them. As well as tons of code examples to follow.
So am i rite in thinking that i should filter input like if i am expecting just letters and numbers then i should ensure only letters and numbers have been inputted, if not obviously give an error like not valid etc but if valid then that means it has been filtered and passed the filter check so pass along to database or wherever. Then when i want to display that information on a webpage i should escape the data being outputted, obviously if you only accepted letters and numbers then that won't need escaping on output as a user could not have been able to add malicious code when filtering the data like code tags and code between the code tags, but i should escape output if i for example have a guestbook where user could enter any type of characters.
Am i rite in what i have said?
Thanks
PHPLOVER
Thanks for replying but i still want to know if i am rite by what i have said in my quote above? . It's still important for me to understand.
No one has posted to this discussion for at least three months. Please let old threads die and do not reply to them unless you feel you have something new and valuable to contribute that absolutely must be added to make the discussion complete. Otherwise, please start a new thread in this forum instead.
Unsolved 
