Eddie Drapkin napsal(a):
2. Can't display raw for the user (e.g. edit a forum post)Edit a forum? You display the data in TEXTAREA... Because seeing something like: <textarea>"Yeah!" is what he said. </textarea> Is awesome for the user experience.
If you don't do html...() before putting to textarea this can happen: <textarea> blabla <b></textarea> blabla </textarea> See?
3. Uses more space in the DBTrue, although I use htmlspecialchars() which doesn't replace that many characters. That makes it no better of a practice to pre-sanitize.You've still yet to offer any compelling reasons why you think this is a good idea.
It's DEFINITELY easier to store RAW data to DB, because it won't give you any headaches in the future - when you might need to add some other functionality requiring this.
But for me personally is doing - htmlspecialchars() - BEFORE the DB insertion the choice to go, because I am looking for performance.
ok? respect
