Inbound or Outbound Sanitation?

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
User avatar
Ambush Commander
DevNet Master
Posts: 3698
Joined: Mon Oct 25, 2004 9:29 pm
Location: New Jersey, US

Inbound or Outbound Sanitation?

Post by Ambush Commander »

I've been deliberating over this for some time now, because in the past I implemented it in an ad hoc way, so now I want to choose one or the other.

What are the advantages and disadvanteges of inbound sanitation, and what about outbound sanitation?

A few reasons I can think off my head:

Inbound sanitation is good because it only requires data to be sanitized once: whereas outbound sanitation must be executed every time the page is loaded (unless you cache it). Outbound sanitation, however, is easily adaptable and can be changed quickly, whereas a change in an inbound sanitation scheme would require the new rules be applied to everything in the database.

What else? Does it matter depending on what you're storing?
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

inbound protects the server. Outbound protects the user from others, or themselves. They can all be done inbound, technically. However, you require code to undo them when needed no matter what. Front end processing has the advantage of not needing so much processing in the end game, but if the filters need changing at all (which is often) I suggest doing anything that isn't security critical on outbound.

At any rate, this is a security topic.
User avatar
onion2k
Jedi Mod
Posts: 5263
Joined: Tue Dec 21, 2004 5:03 pm
Location: usrlab.com

Post by onion2k »

I do inbound usually, but I also store a copy of the original data, so if the rules change I can just apply them to the original and not have to muck about trying to alter something thats been changed before.
User avatar
shiflett
Forum Contributor
Posts: 124
Joined: Sun Feb 06, 2005 11:22 am

Post by shiflett »

Both.

Filter input. Escape output. Abide by those rules, and you'll develop more secure PHP applications than 99% of PHP developers. :-)
Post Reply