[thelist] Form Security

Ken Schaefer Ken at adOpenStatic.com
Mon Jul 19 08:30:33 CDT 2010


-----Original Message-----
From: thelist-bounces at lists.evolt.org [mailto:thelist-bounces at lists.evolt.org] On Behalf Of DAVOUD TOHIDY
Sent: Friday, 16 July 2010 6:11 AM
To: thelist at lists.evolt.org
Subject: Re: [thelist] Form Security

>> Maybe I should be doing the strip tags and slashes too...hmm
>
> As far as I know yes it is a good idea to use both you mentioned.

No, it's not a good idea, because it changes the original data.

If you are worried about SQL injection, then use parametised queries (for whatever data access technology you are using). If you are using ASP.NET, then you'd use SqlCommand/SqlParameter objects, or OleCommand/Parameter objects. Just about every platform has similar. Then it's up to the datasource driver provider to protect you. And Oracle/Microsoft/Sybase etc put a lot more effort into doing this than you ever will be able to yourself.

If you are worried about cross-site-scripting, then escape the data whenever it is re-used, using whatever escaping mechanisms are provided by your application platform (e.g. using HTMLEncode() when rendering to a HTML browser.

Cheers
Ken
 


More information about the thelist mailing list