Carl Johnson wrote:
Nick Snels wrote:
I do my sanitizing before I put the data in the table.
Yeah this is the right way to do it (sanitize on input). I don't know why the "standard" why (as promoted in Agile book I believe) only stresses escaping output.
The advantages of doing it at input:
-Only have to do it once versus having to use functions like h() many times for the same data (what about DRY?). -If other apps use your data you do not have to rely on them doing the right thing.
The one advantage of not storing sanitized and escaped versions is that if the user enters something like
<b>Abcde</b>
in a text field, they will see exactly what they entered in both h-escaped text, and in re-filled forms, while if an escaped version has been stored they will see
<b>Abcde</b>
in the text box.
