The standard precaution for any web form is to filter the user-submitted data. That helps to block attacks and can improve data quality. So in our CWP solution, we apply the htmlspecialchars() function to most of the form fields. It converts characters such as <, >, "", ', and & to their html entities equivalents. But then, when we move that data into Filemaker fields, the values come in as entities. So if someone entered, for example, "Mac & Cheese", that would show up as "Mac &Amp; Cheese".
I could apply the PHP function htmlspecialchars_decode() to the data immediately prior to inserting it into the database. But would that defeat the security purpose of the filtering?
Should I do it that way? Filter as it goes into the web server, then decode as it goes into Filemaker?