Cons: 1. Can't easily edit information in the database 2. Can't display raw for the user (e.g. edit a forum post) 3. Uses more space in the DB 4. Isn't as easily indexed 5. Breaks il8n support of internal search engines (sphinx, lucene, etc.) You're NEVER supposed to santize before inserting in the DB. Ever. Regarding the "performance" boost, if your application is written so well that calling htmlentities() is hurting the performance, I bow to you as writing the highest performing PHP I've ever seen. I would bet money that validation and sanitization, even if overdone, wouldn't take more than 2 or 3 percent of execution time. Do NOT do this, OP, it's terrible practice. On Tue, Jun 23, 2009 at 10:29 AM, Martin Zvarík<mzvarik@xxxxxxxxx> wrote: >> >> Don't htmlentiies() before DB save. In general: >> >> - mysql_real_escape_string() before DB insertion >> >> - htmlentities() before dispaly >> > > > I, on the other hand, would do htmlentities() BEFORE insertion. > > > Pros: > --- > The text is processed once and doesn't have to be htmlentitied() everytime > you read the database - what a stupid waste of performance anyway. > > > Cons: > --- > Instead "&" you'll see "&" ... is that a problem? Not for me and I > believe 80% of others who use DB to store & view on web. > > > > Martin > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
