chris... i would agree, and didn't think it made sense.. but i don't know what you mean by the phrase 'escape all output'!! i don't see the need to escape all output from the mysql db/tbl... so i'm not sure you meant this. for my $0.02, i'd quote/escape all 'strings/date' vars that would be inserted/used within the mysql db. i'd simply go ahead and insert numeric data with no quotes. i'd thoroughly verify/validate using regex or other methods all data before using it in the sql commands. as fars as getting data from the mysql db/tbl, i'd simply use the sql command/query. i'd extract the resulting data, and use the data in vars that i've defined to be the specific data type. this allows me to farily consistenly know what data types i'm using, and how to then present the data to the user if i have to, as well as how to use the vars/data in other parts of the given application. -bruce -----Original Message----- From: Chris Shiflett [mailto:shiflett@xxxxxxx] Sent: Friday, September 23, 2005 9:22 PM To: bedouglas@xxxxxxxxxxxxx Cc: php-general@xxxxxxxxxxxxx Subject: Re: basic user/input form questions... more validation! bruce wrote: > my question was directed towards trying to understand if you were > meaning that an app should escape all output from the mysql db? If you think about that for a moment, I think you'll see that it doesn't make a lot of sense. Data that you get from a remote source is input, not output. Data that you send to a remote source is output. Hope that helps. Chris -- Chris Shiflett Brain Bulb, The PHP Consultancy http://brainbulb.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
