Re: oop question
Posted: Fri Jun 26, 2009 2:49 pm
It's not if, if, if -- you should always do both. Neither is perfect so Defense in Depth is necessary.
A community of PHP developers offering assistance, advice, discussion, and friendship.
http://forums.devnetwork.net/
You encode both the input and the output data? I think you are trying to say something elsearborint wrote:It's not if, if, if -- you should always do both. Neither is perfect so Defense in Depth is necessary.
Code: Select all
// Input encoding
$data = htmlspecialchars($_GET['data'],ENT_QUOTES,'UTF-8');
$db->saveToDb($data);
// later in the script, we do output encoding
$data = htmlspecialchars($db->fetchData(),ENT_QUOTES,'UTF-8');
echo $data;Code: Select all
script.php?data=<script>Code: Select all
<script>
Code: Select all
name: O'ReillyCode: Select all
SELECT email FROM users WHERE name='O\ 'Reilly' // ignore the stupid space..Ah, ok. That makes sense. Just make sure a random person won't be able to put HTML without filteringJenk wrote:In reply to kaisellgren's reply.. no, that's not what I meant.
If the client has/wants a WYSIWYG editor, and wants it for use in, for example, a CMS then I will only escape for the DB. They will want their HTML to render as HTML after all.
If they do not want HTML allowed, then I shall ask if they want it stripped or encoded (special chars).