Page 1 of 1

Inbound or Outbound Sanitation?

Posted: Wed Mar 16, 2005 10:30 pm
by Ambush Commander
I've been deliberating over this for some time now, because in the past I implemented it in an ad hoc way, so now I want to choose one or the other.

What are the advantages and disadvanteges of inbound sanitation, and what about outbound sanitation?

A few reasons I can think off my head:

Inbound sanitation is good because it only requires data to be sanitized once: whereas outbound sanitation must be executed every time the page is loaded (unless you cache it). Outbound sanitation, however, is easily adaptable and can be changed quickly, whereas a change in an inbound sanitation scheme would require the new rules be applied to everything in the database.

What else? Does it matter depending on what you're storing?

Posted: Wed Mar 16, 2005 10:39 pm
by feyd
inbound protects the server. Outbound protects the user from others, or themselves. They can all be done inbound, technically. However, you require code to undo them when needed no matter what. Front end processing has the advantage of not needing so much processing in the end game, but if the filters need changing at all (which is often) I suggest doing anything that isn't security critical on outbound.

At any rate, this is a security topic.

Posted: Thu Mar 17, 2005 6:21 am
by onion2k
I do inbound usually, but I also store a copy of the original data, so if the rules change I can just apply them to the original and not have to muck about trying to alter something thats been changed before.

Posted: Fri Mar 18, 2005 5:13 pm
by shiflett
Both.

Filter input. Escape output. Abide by those rules, and you'll develop more secure PHP applications than 99% of PHP developers. :-)