oop question
Moderator: General Moderators
- Christopher
- Site Administrator
- Posts: 13596
- Joined: Wed Aug 25, 2004 7:54 pm
- Location: New York, NY, US
Re: oop question
It's not if, if, if -- you should always do both. Neither is perfect so Defense in Depth is necessary.
(#10850)
- kaisellgren
- DevNet Resident
- Posts: 1675
- Joined: Sat Jan 07, 2006 5:52 am
- Location: Lahti, Finland.
Re: oop question
You encode both the input and the output data? I think you are trying to say something elsearborint wrote:It's not if, if, if -- you should always do both. Neither is perfect so Defense in Depth is necessary.
Let's say we are outputting in between a DIV tag and the document is encoded as UTF-8.
Code: Select all
// Input encoding
$data = htmlspecialchars($_GET['data'],ENT_QUOTES,'UTF-8');
$db->saveToDb($data);
// later in the script, we do output encoding
$data = htmlspecialchars($db->fetchData(),ENT_QUOTES,'UTF-8');
echo $data;Code: Select all
script.php?data=<script>Code: Select all
<script>I made a quick picture:

That's in the perspective of a PHP application. The Input Encoding arrow may be a bit confusing... it doesn't mean the client encoded it.
There is I/O escaping, but I can't simply imagine any clever reason to have input escaping, so, I only typed Escaping there. If someone comes up with a good reason to use Input Escaping, great.
EDIT: An example of Input Escaping:
Client sends:
Code: Select all
name: O'ReillyCode: Select all
SELECT email FROM users WHERE name='O\ 'Reilly' // ignore the stupid space..Re: oop question
In reply to kaisellgren's reply.. no, that's not what I meant.
If the client has/wants a WYSIWYG editor, and wants it for use in, for example, a CMS then I will only escape for the DB. They will want their HTML to render as HTML after all.
If they do not want HTML allowed, then I shall ask if they want it stripped or encoded (special chars).
If the client has/wants a WYSIWYG editor, and wants it for use in, for example, a CMS then I will only escape for the DB. They will want their HTML to render as HTML after all.
If they do not want HTML allowed, then I shall ask if they want it stripped or encoded (special chars).
- kaisellgren
- DevNet Resident
- Posts: 1675
- Joined: Sat Jan 07, 2006 5:52 am
- Location: Lahti, Finland.
Re: oop question
Ah, ok. That makes sense. Just make sure a random person won't be able to put HTML without filteringJenk wrote:In reply to kaisellgren's reply.. no, that's not what I meant.
If the client has/wants a WYSIWYG editor, and wants it for use in, for example, a CMS then I will only escape for the DB. They will want their HTML to render as HTML after all.
If they do not want HTML allowed, then I shall ask if they want it stripped or encoded (special chars).