Philip Thompson napsal(a):
On Jun 23, 2009, at 9:29 AM, Martin Zvarík wrote:
Don't htmlentiies() before DB save. In general:
- mysql_real_escape_string() before DB insertion
- htmlentities() before dispaly
I, on the other hand, would do htmlentities() BEFORE insertion.
Pros:
---
The text is processed once and doesn't have to be htmlentitied()
everytime you read the database - what a stupid waste of performance
anyway.
Cons:
---
Instead "&" you'll see "&" ... is that a problem? Not for me and I
believe 80% of others who use DB to store & view on web.
I had a problem with storing & into the database instead of just &.
When I wanted to search for something and "&" was in the value,
typing "&" would not find the result. I fixed that by not using
htmlentities() before inputing data into the database. IMO, using
htmlentities() or htmlspecialchars() before inserting into db is
inherently wrong. Making calls to those functions should have negligible
impact on the application - there are other ways to improve the
performance of your application.
My too scents,
~Philip
Martin
You could do htmlentities() at the search string...
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
