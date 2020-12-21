benanamen: benanamen: htmlspecialchars is an output function, not input, so this whole block does not belong.

Whether you htmlencode the data on the way in or out, makes no difference to the database. A string is a string. It’s processing the data to be stored.

I will grant you that it takes more space to store them encoded and may not be recommended, but there’s nothing to say that it does not belong.

benanamen: benanamen: Additionally, do not output internal system errors to the user.

I agree, but with an addition. This would appear to be an API reference, given that the positive outcome is a JSON string. What I would say is be consistent in your output; if your ‘good’ output is a json, your ‘bad’ output should be too; whatever’s calling your page is expecting JSON as the result, so don’t cause a failure in the fetching script as well.

Log the error somewhere (if it’s not already being logged) and report a descriptive-but-not-exposing negative outcome to the ‘user’.