• 10

A PHP Error was encountered

Severity: Notice

Message: Undefined index: userid

Filename: views/question.php

Line Number: 191


File: /home/prodcxja/public_html/questions/application/views/question.php
Line: 191
Function: _error_handler

File: /home/prodcxja/public_html/questions/application/controllers/Questions.php
Line: 433
Function: view

File: /home/prodcxja/public_html/questions/index.php
Line: 315
Function: require_once

htmlspecialchars() is sufficient to escape text for browsers. This will protect other site users from XSS attacks.

However, I would only run this function when displaying data. Storing escaped content in a database seems like poor design to me. The database should store actual content, not munged content. Escape things as necessary at each layer, and no sooner.

To illustrate why this is a bad idea, consider a web site that is working on implementing a JSON-driven API. If they are storing HTML-encoded data in their database, they have two choices: (a) have HTML-encoded data in their JSON responses (which makes no sense), or (b) decode the HTML back to its original form before JSON-encoding it. Both choices are sub-optimal.

Data goes in the database, JSON strings go in JSON documents, and HTML-encoded data goes in HTML documents. Don't mix them!

  • 17
Reply Report
      • 2
    • So what should i do when storing the data? If i don't use htmlspecialchars when storing the data, i'm vunurable for XSS, or what?
      • 2
    • @user1938304 When you output the data from the database is when you use it. Read more about what an XSS attack is, and how they are executed and you may understand more.
    • @user1938304 You don't do anything to the data when you store it (aside from SQL-escaping it, if you are not using prepared queries -- and you should really be using prepared queries). The data in the database should be exactly what the user entered. When you render that data into an HTML document, that is when you use htmlspecialchars(). When you render that data into a JSON document, that is when you JSON-encode it.
      • 2
    • Prepared statements do not protect your users from XSS, they protect your database from SQL injection. These are two different topics; dissociate them in your mind.
      • 1
    • @user1938304 Use htmlspecialchars() after you fetch the data from the database. The same thing I've told you at least three times now.

If you use PDO -- with proper used prepared statements --, you dont have to sanitize your input. But to make sure you wont get XSS attacks, I would use htmlspecialchars before ou put it in your DB.

  • -2
Reply Report
      • 2
    • Okay so to be clear: PDO prepared statements to prevent SQL-injections, and htmlspecialchars to prevent XSS? I tried to understand what XSS is it, but i'm not really sure?
      • 2
    • @user1938304 XSS takes advantage of the lack of HTML escaping on sites. For example, your users could submit data that includes

      Trending Tags

      Related Questions