Html purifier insert before or after Db

Is it better to use purify before
or after the db ?


Why would you store something if it could possibly do your database harm? Purify before you do anything with it.

Input data should nearly always be validated and purified before anything is done with it.

I disagree (with purified before not for the validation) I don’t think to harm the db
if I also insert for instance
< script >doHarm </script>
the real trouble if to display it in the view
without escape it (htmlenties)

Escape only for the circumstance you are in.

In otherwords - escape the input for SQL injection before entering into the database - so use MySQL_Real_Escape_String or PDO prepared statments etc.

When it comes to outputting HTML, escape for HTML.

If you escape for HTML when putting it into the database, you’ll need to unescape it for non-html output, e.g. when editing it inside a textarea, or serving it as a txt file etc.

Keep prepared for circumstances where you won’t be definitely outputting content as HTML.

I agree :slight_smile:

Bye and thanks for the help.

RIP Dan Schulz :frowning:

I would go with “before” because purifier is a fairly slow script. It’s slow because it does lots of things like inspects each unicode character first and then inspects the html
On their website, they recommend running the purifier before the insert, otherwise if you run in after the sql select on every page load, your pages will load much slower.

Thanks for the point but I saw a cache system
can it enhance the performance ?
I’m quite new at Html purifier :slight_smile:


I thought HTML Purifier didn’t have a bundled cache system.

And yes, you should either do it before (and perhaps store it somewhere else) or do it after, but cache the results.

If having both a processed, and unprocessed version of the data would be highly useful to you in different situations, you can always store both versions in the db. You just need to take care to maintain both versions.

For example, I’m not sure if it does, but this very forum might store both a version of my post with the raw bbcode(so I can edit my post), as well as a version of my post with bbcode transformed to html.

A seperate caching layer instead of this may or may not be more suitable. Depends :slight_smile: