Where is the best place to use html_escape? Model, view or controller?

[eluser]behnampmdg3[/eluser]
Hello;

It looks like there are few ways to do this. For example:

In model

Code:

function get_all_places()
   {
    $query = "SELECT * FROM places LIMIT 10";
    $s= $this->db->query($query);
    foreach ($s->result() as $row)
     {
      $this->place_results[]= array('name'=>html_escape(ucwords(strtolower($row->name))),
        'id'=>$row->id);
     }
    return $this->place_results;
   }

Or in view:

Code:

foreach($places as $val =>$row)
{
  echo html_escape($row['name'])."<br />";
}

Thanks

[eluser]PhilTem[/eluser]
I tend putting htmlentities into my views and just into the views because sometimes you might not want to escape the data in the view (think of a wysiwyg-editor) so you don't want to alter it with your model on getting.
You could also do it in the controller but in that case you'd probably loop over your array twice - in the controller for escaping and in the view for displaying - which increases your execution time. Of course not tremendously but noticeable (on many requests)

[eluser]michaelh99[/eluser]
Why are you escaping the data coming out of your database rather than on the way in?

[eluser]PhilTem[/eluser]
You should decide on one approach of escaping data. Either on database INSERT or database READ. Either way, somewhere it needs to be done and I personally like doing it on the view because I may need the unaltered, user-provided data some day later so I don't want any changes of the originally user-submitted data in the database. Every altering shall be done in the view.

That's just my humble way of dealing with this situation

[eluser]noslen1[/eluser]
To my humble way of handling this situation, data manipulation has to be done in the controller, so that's where I'd put charachters escaping, just like form validation rules.

[eluser]PhilTem[/eluser]
IMHO escaping is not necessarily data manipulation since the data itself actually stays the same it's just a different way of displaying it. Data manipulation would be trimming, concatenating, and stuff like that. Plus it's at the end of your whole process so you don't perform any more further tasks with the data you displayed.

That's why I'm using escaping in the views

[eluser]behnampmdg3[/eluser]
[quote author="PhilTem" date="1351871234"]IMHO escaping is not necessarily data manipulation since the data itself actually stays the same it's just a different way of displaying it. Data manipulation would be trimming, concatenating, and stuff like that. Plus it's at the end of your whole process so you don't perform any more further tasks with the data you displayed.

- That's why I'm using escaping in the views [/quote]I am not sure but isn't one of the points of mvc "separating php code from html"?

- I also am dealing with databases where have been built years ago and I do not have control over the data already in there. I assume controller or view when I am printing the data is not a bad idea

Thanks

[eluser]PhilTem[/eluser]
MVC is about separating business logic from both storing and displaying data. So technically you need PHP in your views to e.g. loop over a result array and display it. Your controller only serves as a bound between model and view in collecting and providing the data which the view creates a presentation of.
That's how I learned and understand MVC