Store html entities in database? Or convert when retrieved?

Question

Quick question, is it a better idea to call htmlentities() (or htmlspecialchars()) before or after inserting data into the database?

Answer 1

It's best to store text as raw and encode it as needed, to be honest, you always need to htmlencode your data anyways when you're outputting it to the wbe page to prevent XSS hacking.

You shouldn't encode your data before you put it in the database. The main reason are:

1. If such data is near the column size limit, say 32 chars, if the title was "Steve & Fred blah blah" then you might go over that column limit because a 1 char & becomes a 5 char & amp;
2. You are assuming the data will always be displayed in a web page, in the future you never know where you'll be looking at the data and you might not want it encoded, now you have to decode it and it's possible you might not have access to PHP's decode function