Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
I saw this comment…. http://www.php.net/manual/en/function.mysql-real-escape-string.php#93005
And began to wonder why this would be a bad idea.
It’s a bad idea for a couple reasons:
will always be going into the
database and into the database alone.
What if something is going to be used
in HTML output? Or in an email? Or
written to a file? Or lots of other
things.. your filtering should always
be context-sensitive.
More importantly, it encourages
sloppy use of GET, POST, etc because
there’s no indication that they’ve
been filtered. If someone sees you
use
echo $_POST[‘name’];
on a page, how would they know it’s
been filtered? Or even worse… are
you sure it has been? What about that
other app? You know, the one you were
just handed? What would new developers do? Would they even know that filtering is important?