On Sun, Mar 14, 2010 at 11:16 AM, Ashley Sheridan

>  That function won't always work. You're using a PHP version check for
> mysql_real_escape_string() when the most likely failure point for it is if
> no database connection has been opened.

I never call it without an open db connection..

> Also, you shouldn't strip the tags from a string that's being inserted into
> the database. strip_tags() is for the display of data on a web page. It's
> best practice not to alter the actual data you've stored but to convert it
> once it's displayed. Don't forget that the browser display may not be the
> only use for that data.

Let's call that a coder's / payer's preference..

If i'd need human text, i'd want to strip it of computer code before it
enters the db. Possibly log the attempt to insert code.

Reply via email to