Cons:
1. Can't easily edit information in the database
True, so if you use phpmyadmin for editing - don't do what I suggested.
2. Can't display raw for the user (e.g. edit a forum post)
Edit a forum? You display the data in TEXTAREA...
3. Uses more space in the DB
True,
although I use htmlspecialchars() which doesn't replace that many
characters.
4. Isn't as easily indexed
5. Breaks il8n support of internal search engines (sphinx, lucene, etc.)
Thanks for reply, I will still do it before the DB insert.
*
Btw. I should have mentioned I don't use htmlentities(), but
htmlspecialchars()*
You're NEVER supposed to santize before inserting in the DB. Ever.
Regarding the "performance" boost, if your application is written so
well that calling htmlentities() is hurting the performance, I bow to
you as writing the highest performing PHP I've ever seen. I would bet
money that validation and sanitization, even if overdone, wouldn't
take more than 2 or 3 percent of execution time.
Do NOT do this, OP, it's terrible practice.
