I feel this is so elementary it must have been answered before but I can't find it. Anyway forgive my newbieness. I have got my project to the point I am validating input and output. I am using PDO so SQL Injection, I understand, shouldn't be a problem. However what do I do with possible malicious HTML. Some of my fields may justifiably contain HTML as the project is around courses and course outlines may contain examples of what is in the course. If it's a course about HTML then... . I have read "sanitise input early and output late" and all I guess I really need to do is encode the <. This should wreck any Script entered and planned to run on output. But when I replace in the SQL the encoding works, but should be too early, and when I replace in the PHP the < + the ; still runs the javascript, if its a script of course. What do I do? Many thanks in anticipation.
Asked
Active
Viewed 36 times
1
-
You encode/decode html chars from and to [entities](http://php.net/manual/en/function.htmlentities.php). – Xorifelse Nov 15 '16 at 00:00
-
`I am using PDO so SQL Injection, I understand, shouldn't be a problem.` maybe, maybe not, are you using parameterized queries? – chris85 Nov 15 '16 at 00:26
-
HI Chris85, Thanks for the response, yes prepare and ?s. Cheers – Bri Nov 15 '16 at 16:52