Member
Join Date: Jul 2004
|
someone please tell me, which of these two ways of thinking is better, more secure?
1. just escaping quotes, thus saving them as they are in the database. also leaving tags <> as they are, saving them to database. later when displaying data, you would convert these characters to html entities, "e; etc.. 2. converting quotes and <> to html entities before saving to database, thus saving altered data. later when displaying data, you would display data as it is, since it has already been converted. i'm leaning towards the 1st option since i don't want to alter input data unless neccesary |
quote |
Member
Join Date: Jul 2004
|
basically the question is:
should i filter html entities going IN or going OUT of the database i'm leaning towards filtering going OUT.. |
quote |
Selfish Heathen
Join Date: May 2004
Location: Zone of Pain
|
I don't think there a simple "better" answer. Each is better under certain circumstances.
Personally, I would prefer the latter, converting to HTML entities when they are output. |
quote |
http://ga.rgoyle.com
Join Date: May 2004
Location: In your dock hiding behind your finder icon!
|
I would second what Brad said. You might not always want to display your data on the web, so It would be best to keep it in its original form.
OK, I have given up keeping this sig up to date. Lets just say I'm the guy that installs every latest version as soon as its available! |
quote |
Member
Join Date: Jul 2004
|
yea, that's what i'm thinking too. thanks for the input.
|
quote |
Posting Rules | Navigation |
|
Thread Tools | |