When to use htmlentities: validating input? or when echoing out to browser?
Posted on 2010-11-29
At first I thought htmlentities and htmlspecialchars was just to be used when echoing a value to the browser and not to be used to validate input data from a user. So that is where I put the htmlentities, for example.
echo htmlentities($title, ENT_QUOTES);
In my case I am excepting values from a user and inputting these values into a database. These database values will eventually be echoed back out to a browser. What if I use htmlentities to validate the users input only, before it is put into the database and not use it when echoing output?
Does this provide the same protection?