Safely storing and output data

Posted on


On my application I use this method to store and to output the data. I would like to know if it is safely and correct.

##store the data###
function clean($testo)
    $config = HTMLPurifier_Config::createDefault();
    $purifier = new HTMLPurifier($config);
    $testo = $purifier->purify($testo);

    $testo = mysql_real_escape_string($testo);
    return $testo;
$value = clean($_POST[value]);
//the clean function contain mysql_real_escape_string and htmlpurifier class
$sql = mysql_query("insert into table values(null,$value);");

##output the data####
$sql = mysql_query("select * from table");
$val = mysql_fetch_array($sql);
function echoValue($valore){
    $valore = htmlspecialchars(strip_tags(stripslashes($valore)), ENT_QUOTES, "UTF-8");
    return $valore;

echo echoValue($val);
// the echoValue function contain strip_tags and htmlentities


To “Safely” store data, please don’t use mysql_* functions. Use PDO or mysqli.

Also, use PreparedStatements wherever you use “where” clause in queries. That will protect you against injection.

Leave a Reply

Your email address will not be published. Required fields are marked *