When to use htmlentities: validating input? or when echoing out to browser?

At first I thought htmlentities and htmlspecialchars was just to be used when echoing a value to the browser and not to be used to validate input data from a user. So that is where I put the htmlentities, for example.

echo htmlentities($title, ENT_QUOTES);

In my case I am excepting values from a user and inputting these values into a database. These database values will eventually be echoed back out to a browser. What if I use htmlentities to validate the users input only, before it is put into the database and not use it when echoing output?

Does this provide the same protection?

Thanks.
kadinAsked:
Who is Participating?
 
Cornelia YoderConnect With a Mentor ArtistCommented:
That is what I always do.  It is even BETTER protection because nothing malicious can ever get into your database in the first place.  

The cost is a few bytes extra in the database for special characters, because they are stored as &#nnn; but it's worth that to me, so that I never have to worry about it for output.
0
 
kadinAuthor Commented:
Thanks. All this is new to me, so I was not even sure if I could do this.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.