[thelist] Form Security
Ken Schaefer
Ken at adOpenStatic.com
Tue Jul 20 00:59:54 CDT 2010
What happens when a user needs to enter a slash? My address is, say: 6/10 xyz street
If you have a specific reason to alter data (e.g. to massage it into a specific format) then by all means do so. But that has nothing to do with security - that's a general business requirement.
There's no general need to remove slashes, or <script> or "DROP TABLE" or ' from user supplied data from a security perspectives. Just use the widely available techniques/technologies available (parametised queries, HTMLEncode()) and you can also preserve the fidelity of user data.
Cheers
Ken
-----Original Message-----
From: thelist-bounces at lists.evolt.org [mailto:thelist-bounces at lists.evolt.org] On Behalf Of DAVOUD TOHIDY
Sent: Monday, 19 July 2010 10:29 PM
To: thelist at lists.evolt.org
Subject: Re: [thelist] Form Security
>> Maybe I should be doing the strip tags and slashes too...hmm
>>> As far as I know yes it is a good idea to use both you mentioned.
>>>>No, it's not a good idea, because it changes the original data.
I am using php, mysql. So by changing data for example in a search input or in a contact form by the user what do you mean happens? why it should be a problem? Is it NOT o.k if i get only the text from an input by the user with markup?
could you provide your suggestion for the code I provided in my original post please? with explanation as to why it is better thatn the code I have provided please.
Thanks
davoud
More information about the thelist
mailing list