Home » Php » javascript – Saving div innerText directly to database

javascript – Saving div innerText directly to database

Posted by: admin February 25, 2020 Leave a comment


I have a simple div with contenteditable and I want to store its value without the HTML but preserving line breaks, so I’m using the innerText.

The Question: Is it ok to just save it as it is directly in the database or should it be “urlencoded” or something before storing?

Right now Im saving as it is and when retrieving it run the content through htmlspecialchars and Purify, just in case. Is this fine or is there a more secure/performant way to do this?

How to&Answers:

Yes, this is fine. The data should be stored in the database as entered by the user. There’s no need to modify the data for security reasons when inserting into the database.

When inserting into the database you need to remember never to put any variable input directly in the SQL. You must always use parameterized prepared statements. They are provided by PDO for example.

When outputting the data you need to encode it for the medium in which you present the data. If you display the data in HTML you need to encode with htmlspecialchars(). If you put the data in URL you need to encode with rawurlencode().