[thelist] Form Security
Bill Moseley
moseley at hank.org
Thu Jul 15 18:41:29 CDT 2010
On Thu, Jul 15, 2010 at 3:43 PM, DAVOUD TOHIDY <dtohidy at hotmail.com> wrote:
>
> > php > echo strip_tags( " Is 1 + 1 <3 or is it> 3?" );
> >
> Is 1 + 1 3?
>
> As a newbie in PHP world not sure what you mean by that. I am just trying
> to be on the safe side. Is there anything wrong with my code so please
> explain
>
There's no need to replace/remove those characters (changing the meaning of
the input).
What are you trying to protect? Want to protect against cross-site
scripting? Always escape user data when rendering back out -- don't filter
on input when you don't know how the data will be used. It's also a
guessing game as to what to filter. Never use user data directly in SQL
(always use bind parameters). Never send it though the shell. Never render
it w/o escaping as required for the output medium.
That's not to say don't validate. You should always validate your input
data before using. If you expect an id for a row in a table then make sure
it is a valid id format before using. I would assume that PHP has some
form-handling modules that can abstract out the work of validating input.
Perhaps someone here can recommend something. And a DB abstraction layer
(Pear?).
> and also please comment in regards to the "USER" privileges please.
>
I didn't understand that question.
--
Bill Moseley
moseley at hank.org
More information about the thelist
mailing list