Help with sanitize and escaping

Carl Johnson wrote:

Nick Snels wrote:

I do my sanitizing before I put the data in the table.

Yeah this is the right way to do it (sanitize on input). I don't know why the "standard" why (as promoted in Agile book I believe) only stresses escaping output.

The advantages of doing it at input:

-Only have to do it once versus having to use functions like h() many times for the same data (what about DRY?).
-If other apps use your data you do not have to rely on them doing the right thing.

The one advantage of not storing sanitized and escaped versions
is that if the user enters something like


in a text field, they will see exactly what they entered in both h-escaped
text, and in re-filled forms, while if an escaped version has been stored
they will see


in the text box.