I take $_POST information and store it in a DB and later on query and print this information to the user. Should I use htmlspecialchars() before inserting this info or after I query it before I output it?
In addition I开发者_如何学JAVA need the ability for users to have the ability to use quotes and other everyday special chars. I know I can use the flag ENT_NOQUOTES but it feels like if I do that it leaves security holes.
My site allows Bbcode and I want users to be able to use everyday characters without having to see "amp;lt;<?>&".
Patience with me <--- noob is encouraged! Thanks :D
Should I use htmlspecialchars() before inserting this info or after I query it before I output it?
Escape data for the target code just before you insert it. i.e. Just before you output it.
This means that you will keep the data in its original form for other purposes (e.g. outputting to the user for editing, including in an email, generating a PDF, searching, etc)
In addition I need the ability for users to have the ability to use quotes and other everyday special chars. I know I can use the flag ENT_NOQUOTES but it feels like if I do that it leaves security holes.
htmlspecialchars() will convert quotes in the inputted data into HTML. So you don't need to do anything special.
My site allows Bbcode
Then you need to have a proper BBCode parser.
htmlspecialchars() is used before output to avoid XSS. And the database should better save the user's raw input.
![Interactive visualization of a graph in python [closed]](https://www.devze.com/res/2023/04-10/09/92d32fe8c0d22fb96bd6f6e8b7d1f457.gif)
加载中,请稍侯......
精彩评论