[thelist] Form Security

Ken Schaefer Ken at adOpenStatic.com
Tue Jul 20 00:59:54 CDT 2010

What happens when a user needs to enter a slash? My address is, say: 6/10 xyz street

If you have a specific reason to alter data (e.g. to massage it into a specific format) then by all means do so. But that has nothing to do with security - that's a general business requirement. 

There's no general need to remove slashes, or <script> or "DROP TABLE" or ' from user supplied data from a security perspectives. Just use the widely available techniques/technologies available (parametised queries, HTMLEncode()) and you can also preserve the fidelity of user data.


-----Original Message-----
From: thelist-bounces at lists.evolt.org [mailto:thelist-bounces at lists.evolt.org] On Behalf Of DAVOUD TOHIDY
Sent: Monday, 19 July 2010 10:29 PM
To: thelist at lists.evolt.org
Subject: Re: [thelist] Form Security

>> Maybe I should be doing the strip tags and slashes too...hmm
>>> As far as I know yes it is a good idea to use both you mentioned.

>>>>No, it's not a good idea, because it changes the original data.


I am using php, mysql. So by changing data for example in a search input or in a contact form by the user what do you mean happens? why it should be a problem? Is it NOT o.k if i get only the text from an input by the user with markup?

could you provide your suggestion for the code I provided in my original post please? with explanation as to why it is better thatn the code I have provided please.


More information about the thelist mailing list