This article is such non-sense. First he seems to be escaping all strings, regardless of content, which is a nice way to have%20encoded%20stuff when the content appears in non-html context. Not to mention it’s hard to search within escaped content in the db.
Secondly, the data should obviously not be escaped at this point, but only when being displayed in a page. With his pre-escaping technique I wouldn’t surprised if he ends up with XSS anyway by blindly trusting everything that comes from his database.
looks like someone read a PHP tutorial, even PHP removed magic_quotes on PHP 5.4.0
This article is such non-sense. First he seems to be escaping all strings, regardless of content, which is a nice way to have%20encoded%20stuff when the content appears in non-html context. Not to mention it’s hard to search within escaped content in the db.
Secondly, the data should obviously not be escaped at this point, but only when being displayed in a page. With his pre-escaping technique I wouldn’t surprised if he ends up with XSS anyway by blindly trusting everything that comes from his database.
You’d want to use a tag for that, really, no? -
doodah string `myenc:"true"`