Welcome Guest, Not a member yet? Register   Sign In
CodeIgniter Forums Archived Discussions Archived General Discussion Do you htmlentities the input value and then save the htmletites-ed values to the database?
Do you htmlentities the input value and then save the htmletites-ed values to the database?
  • El Forum
    Guest
  •  
#1
06-09-2009, 01:11 AM

[eluser]searain[/eluser]
Do you htmlentities the input value and then save the htmletites-ed values to the database?

http://ellislab.com/forums/viewthread/57514/#282983

For example, in this code, Jay Tee had
Code:
$rules['client']      = 'trim|required|max_length[255]|xss_clean|htmlspecialchars';
        $rules['description'] = 'trim|required|max_length[255]|xss_clean|htmlspecialchars';
        $rules['amount']      = 'trim|required|numeric';

Meaning he turned the values like
Code:
BigInvoice
to
Code:
"BigInvoice"
and saved it in the database as
Code:
"BigInvoice"
.

Then when edit the record, retrieve the value and display in the edit form. He would display the value as it is retrieved from database, no need to htmlentities the database value because it was saved as htmlentities-ed values already.

I used to take another approach.

I would save the data as it is inputted from the form (of course, valid the data before save it such as mysql_real_escape_string etc., but I would not htmlentities the input value before I save it to the database.)

When I retrieve the data and display it in the edit form or other html format. then I htmlentities the data I retrieved from database before I display the value in the form etc.

Which way should I go? I have switched my coding habits from zen cart to the rule some friend here suggested when I do the CI doing, such as for the table name rules, I use singular name_id, don't add table name before the col name etc.

But in this case, I think I should stay with my old habit. That is save the data (not htmlentities-ed) in database but display the data retrieved from database htmlentities-ed when necessary.
  • El Forum
    Guest
  •  
#2
06-09-2009, 01:22 AM

[eluser]Thorpe Obazee[/eluser]
[quote author="blackhorse66" date="1244549467"]Do you htmlentities the input value and then save the htmletites-ed values to the database?[/b][/quote]

no.
  • El Forum
    Guest
  •  
#3
06-09-2009, 02:00 AM

[eluser]Colin Williams[/eluser]
me neither. Save it raw (for the most part), format it on output.
  • El Forum
    Guest
  •  
#4
06-09-2009, 04:36 AM

[eluser]Kromack[/eluser]
Quote:me neither. Save it raw (for the most part), format it on output.

Mee too, to my mind the "real" data haven't to be formatted.
  • El Forum
    Guest
  •  
#5
06-09-2009, 05:41 AM

[eluser]Evil Wizard[/eluser]
htmlentities is a display method and shouldn't be used to pre data for storage, I think the best way to store data is in raw format and then apply formatting/structure later. It help to separate application logic from display logic, the data doesn't care where it's going and the display doesn't care where it came from Wink
  • El Forum
    Guest
  •  
#6
06-09-2009, 10:05 AM

[eluser]searain[/eluser]
So just simply htmlentities the values in the view pages? Or htmlentities the values first in the controller and then pass the htmlentities-ed values to the view page?

I would just htmlentities the values in the view page. (Just wonder if it is the right way in CI.)

Thanks!
  • El Forum
    Guest
  •  
#7
06-09-2009, 10:08 AM

[eluser]Evil Wizard[/eluser]
For me it would depend on the variable type and the use in the view, if it was a single variable being added to the view then I would use htmlentities() when adding it to the view. However, if I was passing in an array to loop round in the view and some of the values in the array needed to be passed through htmlentities() then it would be done in the view. I think it's just what suites you I suppose lol Wink




Theme © iAndrew 2016 - Forum software by © MyBB