I've been deliberating over this for some time now, because in the past I implemented it in an ad hoc way, so now I want to choose one or the other.
What are the advantages and disadvanteges of inbound sanitation, and what about outbound sanitation?
A few reasons I can think off my head:
Inbound sanitation is good because it only requires data to be sanitized once: whereas outbound sanitation must be executed every time the page is loaded (unless you cache it). Outbound sanitation, however, is easily adaptable and can be changed quickly, whereas a change in an inbound sanitation scheme would require the new rules be applied to everything in the database.
What else? Does it matter depending on what you're storing?
Inbound or Outbound Sanitation?
Moderator: General Moderators
- Ambush Commander
- DevNet Master
- Posts: 3698
- Joined: Mon Oct 25, 2004 9:29 pm
- Location: New Jersey, US
- feyd
- Neighborhood Spidermoddy
- Posts: 31559
- Joined: Mon Mar 29, 2004 3:24 pm
- Location: Bothell, Washington, USA
inbound protects the server. Outbound protects the user from others, or themselves. They can all be done inbound, technically. However, you require code to undo them when needed no matter what. Front end processing has the advantage of not needing so much processing in the end game, but if the filters need changing at all (which is often) I suggest doing anything that isn't security critical on outbound.
At any rate, this is a security topic.
At any rate, this is a security topic.