Posted by Harold Crump on 07/05/06 03:19

> > What's the issue with storing the &quote in the database?
>
> What if you want to use the data for other than displaying on the web? For instance, another
> (non-web) application is going to print information from the database? It might even be a C/C++
> application, for instance.

Point taken.
This application, however, is web-only.
I don't anticipate any non-web consumer for this data.
If that does indeed come to pass, I figure it will be easy enough to
write a script that HTML decodes everything and saves it back into the
database with escaped characters - no?

> > Why bother with mysql_real_escape_string and all its inherent issues if
> > we can completely eliminate quotes from making their way into the SQL
> > statement?
> >
>
> Because mysql_real_escape takes the current charset into account when performing its operations.

So does htmlentities()

> > What am I missing?
> >
>
> The fact that not everything in the world is html based?

No?
You mean you don't dream in HTML?
Where're you from? :p

-Harold.

• Next in forum: Re: Advice for an asp developer
• Prev in forum: Re: php script buffering
• Thread view: Re: Strategy for securing MySQL PHP application - please comment

[Reply to this message]