Welcome to the Treehouse Community

Want to collaborate on code errors? Have bugs you need feedback on? Looking for an extra set of eyes on your latest project? Get support with fellow developers, designers, and programmers of all backgrounds and skill levels here with the Treehouse Community! While you're at it, check out some resources Treehouse students have shared here.

Looking to learn something new?

Treehouse offers a seven day free trial for new students. Get access to thousands of hours of content and join thousands of Treehouse students and alumni in the community today.

Start your free trial

PHP Build a Basic PHP Website (2018) Enhancing a Form Escaping Output

Is escaping output from MySQL server necessary if data being retrieved has already been sanitized?

I'm interested to know whether or not it is necessary to escape output from a MySQL server if the data that is being retrieved has already been filtered when the user submitted a form.

Example:

  1. The user submits a form with a comment for a blog post.
  2. On form submission, prior to sending data to MySQL server, their input is filtered with FILTER_SANITIZE_SPECIAL_CHARS to prevent injection attacks.
  3. Once the data has been posted to server, the user is rerouted to another screen where they can view their comment.
  4. When retrieving their comment from the server (which has stored the filtered input), is it necessary to escape this output as well?

My gut tells me it is not necessary unless the user would be seeing their input displayed without having already been filtered (just like the example in the video here), or if the output was coming from another database where the data may or may not have been filtered on input. Either way, before I publish my site I want to be doubly sure that this is correct.

Alena Holligan , thanks for your reply! Unfortunately when I use the flag, ENT_NOQUOTES in order to allow both single and double quotes, I still get the same issue with my quotes coming out filtered.

Here's an example of what is printed out from the server after being put through:

 htmlspecialchars($server_data, ENT_NOQUOTES);

Output: "Well, I'm not so sure. You see, I think the bike can be a lot more fun at lower speeds when it sound loud and aggressive. You don't have to push the bike too hard to hear it roar, and psychologically you might not push the bike too far." - Post on blog.

Someone mentioned to me on Stack Overflow that filtering data with FILTER_SANITIZE_SPECIAL_CHARS before posting data to the server was not a good idea, that it could confuse the server when the data is retrieved. Is this true? What would an alternative be? I figured that posting their data to the server raw and then escaping it on output could potentially result in a SQL injection. Is this not true?

I really just need to know if I need to filter data being posted to the server, or if I should escape that data when it is being retrieved and placed in the html markup.

1 Answer

Always, always, always escape output. Every time. You can never be too safe and it's just a few clicks of the keyboard. Is it aaaaaaabsolutely necessary all the time? No - but it's like the one time you don't lock your car door at home, someone nabs your iPod from your cup holder.

Moderator marked as Best Answer*

Ok. Now here's a follow up question. Because it's a blog post, I want to allow the user to use characters like single and double quotes and/or parentheses. However, when I escape their output using htmlspecialchars(), it escapes these characters as well. What's the best work around for this? Alena Holligan