Eddie Drapkin napsal(a):
2. Can't display raw for the user (e.g. edit a forum post)
Edit a forum? You display the data in TEXTAREA...
Because seeing something like:
<textarea>"Yeah!" is what he said. </textarea>
Is awesome for the user experience.
If you don't do html...() before putting to textarea this can happen:
<textarea> blabla <b></textarea> blabla </textarea>
3. Uses more space in the DB
although I use htmlspecialchars() which doesn't replace that many
That makes it no better of a practice to pre-sanitize.
You've still yet to offer any compelling reasons why you think this is
a good idea.
It's DEFINITELY easier to store RAW data to DB, because it won't give
you any headaches in the future - when you might need to add some other
functionality requiring this.
But for me personally is doing - htmlspecialchars() - BEFORE the DB
insertion the choice to go, because I am looking for performance.