I was wondering if anyone could give me some advice in deciding the most appropriate time to use htmlspecialchars():
When user input is accepted and error-checked and ready to be inserted into the database? Or when user input is pulled from the database and ready to be displayed to the screen? It seems that running htmlspecialchars() BEFORE the data goes into the database is the "safest" way to do it, so that potentially malicious characters and tags never actually make it past the script. But upon thinking about the implications of this, it strikes me that this will affect the integrity of my data -- ideally, I want to keep the data as "pristine" as possible while it is in the database, since it might end up being parsed by something other than a browser someday, in which case it would be best to leave the data as is. I'm leaning toward the second method, but I want to make sure that doing so won't expose me to any risks that I haven't considered. Please give me your thoughts on this. Erik ---- Erik Price Web Developer Temp Media Lab, H.H. Brown [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
