Escaping and quoting best practices for PHP

Published: Friday, Nov 14, 2008 Last modified: Wednesday, Feb 24, 2021

PHP best practices

21:28 <@Xiven> the philosophy is that you don't want to end up doing silly things like storing it html-escaped in a database.  not everything is output as html either
21:29 <@Xiven> you SQL escape just before you enter into a database, you HTML escape just before you output html, you URL encode just before you use it in a URL
21:29 <@Xiven> you can never be sure that later on, that variable isn't going to be used in some other way
21:30 <@Xiven> and when you start doing object-oriented stuff, your object should never expect to be fed escaped data
21:30 <@Xiven> this is why PHP's "magic quotes" are a bad idea
21:30 <@Xiven> for a simple small app it seems nice

When you output input, use htmlspecialchars. Or htmlentities.

When you put stuff in a database. Quote it! Avoid SQL injection.