Hello Arianna!
Thanks for the reply.
Your approach is "bad" for a few reasons...
1) The site already manually protects variables, so the variables that are used, would be escaped twice.
2) You left out $_COOKIE
3) More information would be escaped than would be needed, so it is much slower, as are arrays in general.
4) What if, say for user profile input, you wanted to permit certain HTML tags or something (not BBCode)? Since the input is stripped already, there isn't much you can do.
5) Encourages bad practices; user who learned PHP from Mysidia, may leave the part out of the code, following their habit of simply putting it directly in queries.
Make sense?
NBS
Last edited by nobackseat; 04-27-2011 at 01:43 PM.
|