[thelist] Form Security

Bill Moseley moseley at hank.org
Thu Jul 15 18:41:29 CDT 2010

On Thu, Jul 15, 2010 at 3:43 PM, DAVOUD TOHIDY <dtohidy at hotmail.com> wrote:

> >  php > echo strip_tags( " Is 1 + 1 <3 or is it> 3?" );
> >
>  Is 1 + 1  3?
> As a newbie in PHP world not sure what you mean by that. I am just trying
> to be on the safe side. Is there anything wrong with my code so please
> explain

There's no need to replace/remove those characters (changing the meaning of
the input).

What are you trying to protect?  Want to protect against cross-site
scripting?  Always escape user data when rendering back out -- don't filter
on input when you don't know how the data will be used.  It's also a
guessing game as to what to filter.  Never use user data directly in SQL
(always use bind parameters).  Never send it though the shell.  Never render
it w/o escaping as required for the output medium.

That's not to say don't validate.  You should always validate your input
data before using.  If you expect an id for a row in a table then make sure
it is a valid id format before using.  I would assume that PHP has some
form-handling modules that can abstract out the work of validating input.
 Perhaps someone here can recommend something.  And a DB abstraction layer

> and also please comment in regards to the "USER" privileges please.

I didn't understand that question.

Bill Moseley
moseley at hank.org

More information about the thelist mailing list