[development] too much sanitizing?
weitzman at tejasa.com
Sat Jul 22 19:37:46 UTC 2006
I notice that we sanitize $path every time l() is called [note: l() calls
url()]. So these 100+ alias queries also imply 100+ calls to
mysql_real_escape_string(). note that db_escape_string() is on the list of
offenders at dries' figures.
maybe we need a parameter on url() where a developer can declare that his
input $path is safe. consider the many links which to "node/$nid" - these
get sanitized even though $nid comes from an integer field in the DB.
it isn't totally clear how xdebug does its accounting, but i
i acknowledge that avoiding output filtering is a bit scary but probably
acceptable in this case.
More information about the development