22 Jul
2006
22 Jul
'06
9:37 p.m.
I notice that we sanitize $path every time l() is called [note: l() calls url()]. So these 100+ alias queries also imply 100+ calls to mysql_real_escape_string(). note that db_escape_string() is on the list of offenders at dries' figures. maybe we need a parameter on url() where a developer can declare that his input $path is safe. consider the many links which to "node/$nid" - these get sanitized even though $nid comes from an integer field in the DB. it isn't totally clear how xdebug does its accounting, but i i acknowledge that avoiding output filtering is a bit scary but probably acceptable in this case.