On Mon, 2007-02-12 at 21:20 -0500, Travis Doherty wrote: > Hello. > > Came across some code that startled me. Mostly because it goes against > the generally accepted idea of detecting and rejecting bad input instead > of trying to escape it, secondly because "it just feels wrong." > > The only technical case I have so far is for inserting a double/single > quote into the database. It will get inserted as its htmlentities equiv > of '"' for example. In the future if they wanted to display the > data in the database in a format other than html it will be messy. > > So... the question is: What else is wrong with this? or.. Why is this so > bad? It's probably prone to character-set attacks. As for storing the content like that in the database, sometimes it is done as an optimization... so that on every future retrieval the encoding doesn't have to be redone. Sure, it decreases the flexibility of the content, but it also decreases processing time for the future. Given that they're inserting the content into the database without proper escaping, they're probably not aware of optimization and it's just an example of poor coding. Cheers, Rob. -- .------------------------------------------------------------. | InterJinn Application Framework - http://www.interjinn.com | :------------------------------------------------------------: | An application and templating framework for PHP. Boasting | | a powerful, scalable system for accessing system services | | such as forms, properties, sessions, and caches. InterJinn | | also provides an extremely flexible architecture for | | creating re-usable components quickly and easily. | `------------------------------------------------------------' -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
