On Sun, Mar 14, 2010 at 11:16 AM, Ashley Sheridan <ash@xxxxxxxxxxxxxxxxxxxx>wrote: > That function won't always work. You're using a PHP version check for > mysql_real_escape_string() when the most likely failure point for it is if > no database connection has been opened. > I never call it without an open db connection.. > > Also, you shouldn't strip the tags from a string that's being inserted into > the database. strip_tags() is for the display of data on a web page. It's > best practice not to alter the actual data you've stored but to convert it > once it's displayed. Don't forget that the browser display may not be the > only use for that data. > Let's call that a coder's / payer's preference.. If i'd need human text, i'd want to strip it of computer code before it enters the db. Possibly log the attempt to insert code.
