PHP / MySQL, Special characters, data integrity and security

[southbeach]

Howdy!

At which point should one be concerned with special characters

(1) data entry level
(2) saving to table
(3) pushing to web
(4) other _______

As is the case with all or most of us, data integrity, security and flexibility is staring right at me. I need to allow user the use of anything under the sun (for the most part) but yet, application|server security cannot be compromised.

Data is of no use to user if content is missing so, how does one work out the compromise? I figure I use

htmlspecialchars($string, ENT_QUOTE, 'UTF-8')

when pushing to web and

mysqli_real_escape_string($link, $string)

when storing to table.

What else should I do? Is this even what I should do?





--
SouthBeach

http://www.fpgroups.com

The good thing about not knowing is the opportunity to learn - Yours truly, 2008.

 

[ChrisHirst]

(2) is the only place you need to be really concerned, as that is really the only time that 'special' characters are likely to create any kind of problem for the database server.

Though for security aspects, (2) should cover any time you are building a query from user supplied input, not just when inserting or updating the data.

Chris.

Indifference will be the downfall of mankind, but who cares?
Time flies like an arrow, however, fruit flies like a banana.
Webmaster Forum