[nycphp-talk] Form field length vs. Database field length
Dan Cech
dcech at phpwerx.net
Tue Dec 23 16:28:04 EST 2003
Amen to that,
I just finished an email to Jeff on this very subject, should be
appearing in a PHundamental very soon.
Essentially though, htmlentities or any other type of content encoding
should be done when text is output to whatever format it is being output to.
If you decided in the future sometime to output your data in pdf, you
would have to go through and unhtmlentities (html_entity_decode)
everything, no fun.
Dan Cech
Daniel Convissor wrote:
> On Mon, Dec 22, 2003 at 02:33:43PM -0500, Scott Mattocks wrote:
>
>>>That is to say, only call htmlspecialchars() when you're about to display
>>>the data, rather than before storing it.
>>
>>That is probably what we will end up doing, but I don't like it. I
>>would rather only mess with the data when it is submitted but it doesn't
>>seem like that is going to be possible.
>
>
> And what if some charming individual on staff (or whatever) that has
> direct access to the database decides to (maliciously?) update data
> directly?
>
> In short, data needs to be cleaned up before being displayed.
>
> --Dan
>
More information about the talk
mailing list