Remove check_plain from $_POST variables
obsidiandesign - August 3, 2008 - 22:04
| Project: | Signup Pay for a node |
| Version: | 5.x-1.x-dev |
| Component: | Code |
| Category: | bug report |
| Priority: | minor |
| Assigned: | Unassigned |
| Status: | postponed (maintainer needs more info) |
Jump to:
Description
While searching for a solution to the apostrophe problems I was having, it came up that check_plain() is for outputting text to the user; using it before inserting data into the database isn't necessary. Not a big issue, but I thought I'd propose removing check_plain() from each of the $_POST variables inside signup_pay_paypal_ipn().
Thanks for a really handy module.
| Attachment | Size |
|---|---|
| signup_pay.module_check_plain.patch | 1.61 KB |
#1
I think this is an OK approach, consistent with what core does (filter on output, not input).
However, on an existing site, this would cause data inconsistency, with some rows escaped and some not escaped.
So, I am looking for more input from the community at large on whether to create a hook_update_N() to unescape the old data, or just let it be, because the module is still in a -dev release.
#2
i like the consideration to apply an update with this patch.