Cleaning information retrieved from database

hadoob024

I was reading through this PHP security book and it recommends cleaning/screening/sanitizing information retrieved from the db prior to displaying it. Is this something that everyone recommends, or is it considered overkill?

Let me clarify. Like I know to use htmlentities() to clean up these fields for proper display, but do I need to run everything through some eregi() checks or something to validate the information again before displaying it? Or does this all depend on how secure the db server is?

laserlight

If you want to validate input, I'd say it is best to do so before storing in the database. Then you only format what is retrieved for the desired form of display.

I can see the worry that the database might get compromised, but then you also have to worry about your webserver getting compromised, upon which all the validation you perform on the database result sets may just disappear.

hadoob024

Hmmm... That's true. I didn't think of it that way. If one of them gets comprimised, chances are that both could be.

As for the validation before storing in the db, yup. I do that too. I check lengths and the type of info entered into the form, then I set a variable equal to the $_POST variable passed thru. I then verify it using eregi(). I also use trim(), strip_tags(), etc. And only after it passes all these checks do I actually store the info in the db. But the book suggested that just to be on the safe side, to also then verify the info when it's pulled out of the db but before displaying it. But after hearing your argument, I guess it just seems like overkill.

MarkR

You should be able to display any character data from the database correctly in the page.

Your template should be set up to use htmlspecialchars() or something like the |escape smarty modifier- this is normal best practice.

There is clearly no need to validate data coming out of the database, as it should not be there in the first place. Check it on the way in for validity.

Mark

hadoob024

That's what I was thinking too. I think the author was trying to say that just in case the db gets comprimised, that it's best to re-validate the information coming out of the db prior to displaying it. But I think I agree with everyone here and that this is just overkill. As long as I thoroughly screen/validate before storing in the db I should be fine.

As to your reply, are you recommending using htmlspecialchars() over using htmlentities()?