On Jun 23, 2009, at 9:29 AM, Martin Zvarík wrote:
Don't htmlentiies() before DB save. In general:
- mysql_real_escape_string() before DB insertion
- htmlentities() before dispaly
I, on the other hand, would do htmlentities() BEFORE insertion.
The text is processed once and doesn't have to be htmlentitied()
everytime you read the database - what a stupid waste of performance
Instead "&" you'll see "&" ... is that a problem? Not for me and
I believe 80% of others who use DB to store & view on web.
I had a problem with storing & into the database instead of just
&. When I wanted to search for something and "&" was in the value,
typing "&" would not find the result. I fixed that by not using
htmlentities() before inputing data into the database. IMO, using
htmlentities() or htmlspecialchars() before inserting into db is
inherently wrong. Making calls to those functions should have
negligible impact on the application - there are other ways to improve
the performance of your application.
My too scents,
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php