[development] too much sanitizing?

Moshe Weitzman weitzman at tejasa.com
Sat Jul 22 19:37:46 UTC 2006

I notice that we sanitize $path every time l() is called [note: l() calls 
url()]. So these 100+ alias queries also imply 100+ calls to 
mysql_real_escape_string(). note that db_escape_string() is on the list of 
offenders at dries' figures.

maybe we need a parameter on url() where a developer can declare that his 
input $path is safe. consider the many links which to "node/$nid" - these 
get sanitized even though $nid comes from an integer field in the DB.

it isn't totally clear how xdebug does its accounting, but i

i acknowledge that avoiding output filtering is a bit scary but probably 
acceptable in this case.

More information about the development mailing list