I am trying to write a function that will do all the string validation on my project. I am doing this so that I can validate a charset and string length in one place, which makes it easier to maintain for me on the long run. Someone told me to do it like:
$var = mysql_real_escape_string(trim(nl2br(htmlentities($var))));
if (strlen($var) < 3 || strlen($var) > 400)
{ // do something
}
That is roughly how I used to do it.
A Freaker (not sure who) told me this is wrong and that I should use htmlentities() (and probably also nl2br()) only before displaying the strings. So here I am, confused and not knowing how I should be validating strings prior to adding them to the DB.The situation I want to go to (I THINK) is something like...
$var = mysql_real_escape_string(trim($var));
if (!validate_string($var))
{
// do something
}
As I said, I dont know if thats correct or not.
How do you Freakers do it? What is "best practise"? Ideally, I would just want to have UTF-8 valid strings in my DB, but I have very very little experience with this.
ALSO: I know Im not supposed to be using MySQL, but converting is not an option at this point. Please leave that be 