1. 1
  1.  

  2. 9

    To avoid SQL injection or storing raw HTML in the database, it’s common practise to escape all SQL statements and HTML from the request body.

    looks like someone read a PHP tutorial, even PHP removed magic_quotes on PHP 5.4.0

    1. 5

      This article is such non-sense. First he seems to be escaping all strings, regardless of content, which is a nice way to have%20encoded%20stuff when the content appears in non-html context. Not to mention it’s hard to search within escaped content in the db.

      Secondly, the data should obviously not be escaped at this point, but only when being displayed in a page. With his pre-escaping technique I wouldn’t surprised if he ends up with XSS anyway by blindly trusting everything that comes from his database.

      1. 1

        First he seems to be escaping all strings, regardless of content

        You’d want to use a tag for that, really, no? - doodah string `myenc:"true"`