Originally Posted by ScallioXTX
Well, what would be the worst that could happen if I was viewing my database in phpMyAdmin and ran in to an issue? (I think that is less of a concern on my computer than if a visitor to my live site encountered the same thing, right?)
#2. Normally I'd say you shouldn't htmlentities stuff in your database, but since you're using PhpMyAdmin, which is a web interface, I'm not 100% sure. If there's a leak in PhpMyAdmin you're vulnerable to that too if you don't htmlentities stuff in your database. On the other hand, you normally don't want to htmlentities stuff in your database for reasons you already stated. So I'm not sure.
Plus, I wouldn't want to see stuff like this in my database...
If someone did add HTML tags, this looks much better...
<i>This is in Italics</i>
<h1>This is a Heading</h1>
This person has a rude profile!!
Take a look at that nasty picture they have. Look at what they are doing?! That is obscene!!!
And take a look at those <b>NAUGHTY WORDS</b> in their Interests section... :)
For my database, I decided to go with this...
$issue = $trimmed['issue'];
// $issue = str2htmlentities($trimmed['issue']);
For my Admin e-mail, I decided to go with this...
#3. Yes, I would use it there too, to avoid XSS and CSFR via email.
// str2htmlentities: Converts all applicable characters to HTML-entities.
// nl2p: Converts Form submission to include proper HTML tags.
$formattedIssue = nl2p(str2htmlentities($issue));
// $formattedIssue = nl2p($issue);
Those two Functions above are ones I wrote last summer which are similar to the ones you'd expect, but slightly better!
Well, I think that covers everything, unless you have any more advice?