What is the industry standard inserting user input that may contain apostrophes into a database? Such an input will be displayed back to users on a webpage. For example, a user updates some field to "I'm cool". I insert it into my database with this function:
public function updateDatabase($value) {
$value = mysql_real_escape_string($value);
Database::instance()->query(
'UPDATE myTable
SET myColumn = ' . $value . '
WHERE foo = "bar"'
);
}
The database will now store "I\'m cool". To display this value properly and safely back to any user, I would have to clean it with this function:
public function toSafeDisplay($userGeneratedValue) {
return stripslashes(
htmlentities(
$userGeneratedValue
)
);
}
My concern is that doing stripslashes and htmlentities on everything I want to display on a webpage will be very processor intensive. The general concensus on StackOverflow is to not do htmlentities
before inserting into the database, so that the data is as raw as possible. This would allow it to be later displayed in any medium, not just websites. So we're forced to do htmlentities
at display time. Is this also true with stripslashes
? Or is it possible to remove all the slashes before the apostrophes before updating the database without introducing SQL injection attacks?.