[masklinn]

> That doesn't make sense to me and I agree with GP. If I consume HTML and I escape all HTML input I'm given, I'm utterly useless. [...] Now when I consume text and convert that text into HTML for further treatment, I'm producing HTML, and I must properly escape my input in that conversion.

Which is my point, it's the consumption side which defines what the escaping should be.

> Escaping only ever occurs at a boundary when transforming between formats (eg from "text string" to "html string") which is always both producer (of the new format) and consumer (of the old format).

A database interface is not a transformer / producer, needs escaping. Globbing is not a transformer either. Still needs escaping.

[deredede]

I disagree, a database interface is a format boundary at which a transformation occurs (from text to SQL) and so is globbing (from text to pattern).

[masklinn]

Whatever, call it a transformer if that makes you hard.

Point doesn't change: what escaping is needed is a function of the "transformer" and applied to the input (= consumption) side of it.

You don't apply an escaping because data comes from a database, you apply it because it goes into one. Same with template processors, regex engines, etc...