Posted by Harold Crump on 07/07/06 00:30

Hi --

Jerry Stuckle wrote:
> First of all, you need to separate the data from the application. You
> may very well have multiple applications using the same data.

> You should always separate your data from the presentation of the data.
> &quote is part o the presentation, and should be converted after the
> data is retrieved from the database, not before it's inserted.

Yes, that makes sense - point taken.
So, am I covering all my bases if I use the following strategy -

Use mysql_real_escape_string for all user input that goes into the
database

Use htmlentities() for all output that goes to a browser presentation

Use html_entity_decode() for all output that goes to non-web
presentations, like a desktop application or a file stream.

What else do I need to do?

Thanks for your input.

-Harold.

[Back to original message]