Re: Character Entity References

On Mar 30, 7:27 pm, Michael Fesser <neti...@xxxxxx> wrote:
.oO(George Maicovschi)

The problem starting with escaping the input data using htmlentities()
and from my point of view, escaping data before it goes to the DB is a
rather good thing not a bad one.

Escaping yes, but not in this way. Data in a DB should never be stored
in an output-specific or media-dependent encoding, but in a raw format.
Pure data, nothing else. Just think about things like

* output to something else than HTML, for example a PDF or a plain text
newsletter
* a fulltext search

Both tasks will be almost impossible or at least much more complicated
with HTML data in the DB, but pretty easy to do with raw data.

If the data displays right in the output of the script no worries
there, he decoded it with html_decode_entities().

There's nothing to decode, but to _encode_ if - and only if - necessary.
The current encoding is _not_ necessary.

Why do you guys say it's a lousy consultant because he escaped the
input?

Because it's simply wrong and just shows that the consultant obviously
didn't really understand what escapaing is for and where it has to be
used. Currently it's just the wrong method at the wrong place.

Should he have just made the insert with whatever data came to
him? I would like to hear a strong point of view on this matter, since
escaping inputs is in my opinion (as well in many other devs' opinion)
a very good programming practice and a must.

The escaping in this case doesn't prevent anything, but causes new
problems. Proper escaping for data that goes into a DB has to be done
with functions like mysql_real_escape_string() or prepared statements,
not with an HTML output(!) function.

Micha

You're kinda right here, I jumped to conclusions. But if you use it
only for outputing to HTML then maybe htmlentities is a good way to
go....I use it combined with others techniques in one of my projects
and there haven't been any problems so far.
.

Relevant Pages

  • Question about CGI.pm
    ... I have been exploring CGI.pm and am of course interested in the HTML ... Escape HTML formatting characters in a string. ... the standard HTML escaping rules will be used. ... is passed through a function called escapeHTML(): ...
    (perl.beginners)
  • Re: Sinatra : size of variable @data ? Bug ?
    ... Randy wrote: ... look at the HTML in both cases. ... generating invalid HTML - and therefore one of the browsers is ... your html_select helper should be escaping the options in the ...
    (comp.lang.ruby)
  • Re: Character Entity References
    ... Escaping yes, ... with HTML data in the DB, but pretty easy to do with raw data. ... escaping inputs is in my opinion ...
    (comp.lang.php)
  • SharePoint Designer injecting code
    ... pages/page layouts: ... And then escaping the angle brackets in my html to > and <... ...
    (microsoft.public.sharepoint.portalserver.development)
  • Re: Character Entity References
    ... The problem starting with escaping the input data using htmlentities() ... escaping inputs is in my opinion ... a very good programming practice and a must. ...
    (comp.lang.php)