On Wed, Jun 10, 2009 at 3:10 PM, Nitsan Bin-Nun<nitsanbn@xxxxxxxxx> wrote: > Usually I would support you on this one. In chemistry you always keep > your stock "pure" and make any observations or mixtures in clean and > other glasses in order to keep it pure. > > When it comes to printing an output or hosting it in a variables and > then printing it out it is just a matter of taste. > It is a matter of taste. If I see a variable named $searchTerms, I expect it to have the only the (appropriately sanitized) search terms in it without any specific escape sequences. For me, it's the same problem I have with magic_quotes (and related variants). If the magic_quotes setting is enabled, you have to call stripslashes() on the variable before you do just about anything with it, such as passing it to htmlspecialchars(), mysql_real_escape_string(), a DBMS other than MySQL, etc. All I'm saying is that if I want to assign the returned value of an escape function to a variable, I use a new variable whose name describes its purpose -- Ash's $dbSearchTerms variable does just this -- rather than assigning it back to the original variable. (I do sometimes make an exception when the variable's scope is inside a function whose sole purpose is to escape the value and then do something with the escaped value.) I just often skip the extra variable and use the function return value directly unless having the extra variable makes the code more readable -- as a matter of taste. :-) Andrew -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
