|  | Posted by Jerry Stuckle on 07/05/06 10:33 
Harold Crump wrote:>>>What's the issue with storing the "e in the database?
 >>
 >>What if you want to use the data for other than displaying on the web?  For instance, another
 >>(non-web) application is going to print information from the database?  It might even be a C/C++
 >>application, for instance.
 >
 >
 > Point taken.
 > This application, however, is web-only.
 > I don't anticipate any non-web consumer for this data.
 > If that does indeed come to pass, I figure it will be easy enough to
 > write a script that HTML decodes everything and saves it back into the
 > database with escaped characters - no?
 >
 
 First of all, you need to separate the data from the application.  You
 may very well have multiple applications using the same data.
 
 And *right now* this is a web application.  But does that mean it always
 will be?
 
 You should always separate your data from the presentation of the data.
 "e is part o the presentation, and should be converted after the
 data is retrieved from the database, not before it's inserted.
 
 >
 >>>Why bother with mysql_real_escape_string and all its inherent issues if
 >>>we can completely eliminate quotes from making their way into the SQL
 >>>statement?
 >>>
 >>
 >>Because mysql_real_escape takes the current charset into account when performing its operations.
 >
 >
 > So does htmlentities()
 >
 
 And no, htmlentities() does not take the current characters set into
 account.  It only converts specific characters in the Western European
 character set to HTML entities.
 
 mysql_real_escape, OTOH, looks at the current charset used by the
 connection and converts data in the string to input which is compatible
 with mysql.  A completely different function, for a completely different
 purpose.
 
 Two functions, two uses.  Don't get them mixed up!
 
 >
 >>>What am I missing?
 >>>
 >>
 >>The fact that not everything in the world is html based?
 >
 >
 > No?
 > You mean you don't dream in HTML?
 > Where're you from? :p
 >
 > -Harold.
 >
 
 
 --
 ==================
 Remove the "x" from my email address
 Jerry Stuckle
 JDS Computer Training Corp.
 jstucklex@attglobal.net
 ==================
  Navigation: [Reply to this message] |