Filtering input data when writing to the database or when outputting?

A

alex4answ2019-03-26 21:03:07

Yii

alex4answ, 2019-03-26 21:03:07

Good evening, I can not decide how to do it right.
There is a form, without an editor and everything else, and 1 model that saves the entered data.
This form data is displayed in 2-5 templates.
I have only 1 place that can save the data from the form to the database, that is, there is no entry anywhere else.
And in connection with this, I have a question, isn't it easier for me to use Html::encode (htmlspecialchars) when writing to the database, and not in each template when outputting?
What is the actual difference and what are the pitfalls?
I would do an HtmlPurifier (strip_tags) on write, but I don't want "<such text>" to be removed.
How to filter the data correctly if the entry in the database is in 1 place, and the output is in several templates?

Reply

Answer the question

In order to leave comments, you need to log in

2 answer(s)

D

dollar, 2019-03-26
@dollar

For starters, the write filter saves you from sql injection.
Secondly, reads usually take precedence over writes, so it's best to filter on writes.
On the other hand, filtering a record in the database, you lose the primary format. And if you change the filter, then the data will no longer be able to be recoded.
Well, such a moment: if the user edits his record, then he needs to give out exactly what he entered.
Output : you need to partially ~~filter~~ convert when writing, partially filter when outputting, and when editing, return the original version.

D

Dmitry, 2019-03-26
@slo_nik

Good evening.
To do this, yii has validation rules where you can specify which type is expected.
Also, I quote
The framework protects all SQL queries with prepared PDO expressions, unless you yourself compose queries by concatenation. There are no problems with this.
But output user data via Html::encode();