Escaping variables

Question

I\'ve read that it\'s enough and even recommended to escape characters on the output, not on the input.

It could be easily applied to all get variables as they are n

Answer 1

I've read that it's enough and even recommended to escape characters on the output, not on the input.

Typically, you want to:

• Validate input and store it using prepared statements. Prepared statements will protect your database against SQL injections. Typically, you don't want to strip out HTML tags on input because doing so could lead to a loss of data integrity.
• When displaying user-generated data (output), you can guard against XSS by using a combination of htmlentities and mb_convert_encoding.

Note on the htmlspecialchars function from another question:

Even if you use htmlspecialchars($string) outside of HTML tags, you are still vulnerable to multi-byte charset attack vectors.

The most effective you can be is to use the a combination of mb_convert_encoding and htmlentities as follows.

$str = mb_convert_encoding($str, ‘UTF-8′, ‘UTF-8′);
$str = htmlentities($str, ENT_QUOTES, ‘UTF-8′);