View Single Post
nassau
Member
 
Join Date: Jul 2004
 
2006-10-01, 09:06

someone please tell me, which of these two ways of thinking is better, more secure?

1. just escaping quotes, thus saving them as they are in the database. also leaving tags <> as they are, saving them to database. later when displaying data, you would convert these characters to html entities, &quote; etc..

2. converting quotes and <> to html entities before saving to database, thus saving altered data. later when displaying data, you would display data as it is, since it has already been converted.


i'm leaning towards the 1st option since i don't want to alter input data unless neccesary
  quote