AnsweredAssumed Answered

Using PHP's htmlspecialchars() in CWP solutions

Question asked by GarySprung on Sep 2, 2016
Latest reply on Nov 2, 2016 by GarySprung

The standard precaution for any web form is to filter the user-submitted data. That helps to block attacks and can improve data quality. So in our CWP solution, we apply the htmlspecialchars() function to most of the form fields. It converts characters such as <, >, "", ', and & to their html entities equivalents. But then, when we move that data into Filemaker fields, the values come in as entities. So if someone entered, for example, "Mac & Cheese", that would show up as "Mac &Amp; Cheese".


I could apply the PHP function htmlspecialchars_decode() to the data immediately prior to inserting it into the database. But would that defeat the security purpose of the filtering?


I'm guessing it still makes sense, because the initial htmlspecialchars() will help prevent attacks using JavaScript.


Should I do it that way? Filter as it goes into the web server, then decode as it goes into Filemaker?