On Jun 23, 2009, at 9:29 AM, Martin Zvarík wrote:

Don't htmlentiies() before DB save.  In general:
- mysql_real_escape_string() before DB insertion
- htmlentities() before dispaly

I, on the other hand, would do htmlentities() BEFORE insertion.

The text is processed once and doesn't have to be htmlentitied() everytime you read the database - what a stupid waste of performance anyway.

Instead "&" you'll see "&" ... is that a problem? Not for me and I believe 80% of others who use DB to store & view on web.

I had a problem with storing & into the database instead of just &. When I wanted to search for something and "&" was in the value, typing "&" would not find the result. I fixed that by not using htmlentities() before inputing data into the database. IMO, using htmlentities() or htmlspecialchars() before inserting into db is inherently wrong. Making calls to those functions should have negligible impact on the application - there are other ways to improve the performance of your application.

My too scents,


PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to