On 23/01/2008, Jochem Maas <[EMAIL PROTECTED]> wrote: > I can read, I saw 2 functions the first time. each function cleans *and* > escapes. > > cleaning is filtering of input. > escaping is preparing for output. > > 2 concepts.
I see your point. > if the input needs to be stripped of html then it needs that regardless > of the output vector. again removing or not-accepting input if it contains > '--' is a question of filtering/validation ... besides which '--' is quite > acceptable for data stored in a text field but not for a numeric one. I'm not accepting "--" at all until someone can show me a real world case where one would use it, without the intention of SQL injection. How can it be escaped, anyway? > filter each piece of data > validate each piece of data > escape each peice of data for each context in which it will be output. I see that you have more experience than I! > imho your functions are conceptually wrong and not very robust either - > don't take it as a personal attack - I'm very sure if we sat down with *some* > of my code the same critism could be made to more or lesser extent :-) ... > "getting better all the time" as they sang once ;-) I never thought that was a personal attack, not for a second. Rather, I very much appreciate the time you take to explain to me my errors. And I intend to learn from them. For the time being, I'll leave the code as it is. However, for future projects, I will make a point of separating the different functions. Thanks. Dotan Cohen http://what-is-what.com http://gibberish.co.il א-ב-ג-ד-ה-ו-ז-ח-ט-י-ך-כ-ל-ם-מ-ן-נ-ס-ע-ף-פ-ץ-צ-ק-ר-ש-ת A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing?
