Why do some programmers not ensure data is escaped for the right output ‘layer’… today I came across some legacy code which appends strings together to create a CSV file – it went along the lines of :
$line .= $foo . ‘”,”‘ . $bar . ‘”,”‘ . $etc…. . “\n”;
There was no attempt at escaping the data being embedded, so if it contained a ” (which I know some records do) it will/would fail (yes, one premises has “…” in it’s name, and it’s caused us problems already with similar code).
The easy answer in this instance is to use PHP’s fputcsv() function (which has been around since 5.1).
What other demons are lurking there waiting to cause trouble I wonder?
(See also my random tweet linked to this)