Html purifier insert before or after Db

whisher · February 28, 2010, 12:00pm

Hi,
Is it better to use purify before
or after the db ?

Bye.

aaronfalloon · February 28, 2010, 12:22pm

Why would you store something if it could possibly do your database harm? Purify before you do anything with it.

Input data should nearly always be validated and purified before anything is done with it.

whisher · February 28, 2010, 12:32pm

I disagree (with purified before not for the validation) I don’t think to harm the db
if I also insert for instance
< script >doHarm </script>
the real trouble if to display it in the view
without escape it (htmlenties)
imho

Jake_Arkinstall · February 28, 2010, 12:45pm

Escape only for the circumstance you are in.

In otherwords - escape the input for SQL injection before entering into the database - so use MySQL_Real_Escape_String or PDO prepared statments etc.

When it comes to outputting HTML, escape for HTML.

If you escape for HTML when putting it into the database, you’ll need to unescape it for non-html output, e.g. when editing it inside a textarea, or serving it as a txt file etc.

Keep prepared for circumstances where you won’t be definitely outputting content as HTML.

whisher · February 28, 2010, 1:41pm

I agree

Bye and thanks for the help.

RIP Dan Schulz

lampcms_com · February 28, 2010, 2:04pm

I would go with “before” because purifier is a fairly slow script. It’s slow because it does lots of things like inspects each unicode character first and then inspects the html
On their website, they recommend running the purifier before the insert, otherwise if you run in after the sql select on every page load, your pages will load much slower.

whisher · February 28, 2010, 2:53pm

Thanks for the point but I saw a cache system
can it enhance the performance ?
I’m quite new at Html purifier

Bye

sk89q · February 28, 2010, 6:46pm

I thought HTML Purifier didn’t have a bundled cache system.

And yes, you should either do it before (and perhaps store it somewhere else) or do it after, but cache the results.

crmalibu · March 1, 2010, 3:19am

If having both a processed, and unprocessed version of the data would be highly useful to you in different situations, you can always store both versions in the db. You just need to take care to maintain both versions.

For example, I’m not sure if it does, but this very forum might store both a version of my post with the raw bbcode(so I can edit my post), as well as a version of my post with bbcode transformed to html.

A seperate caching layer instead of this may or may not be more suitable. Depends