Hacker News new | ask | show | jobs
by gungsukma2 1711 days ago
> So the company value will be stored like this: ' or '=' instead of this " or ""="

No, if they enter '"', store it as '"' in your database (maybe by using '\"' in the query), serve it as ''' in html ('"', actually).
1 comments
marcos100 1710 days ago
Yes, you should persist the raw user input. Why would my non-html gui app show some escaped html?
link