Page 1 of 1
Tainted User Input
Posted: Mon Jul 03, 2006 10:23 am
by Bigun
In some of my input fields I will allow some HTML, other's none... and some could be used with MySQL injection attacks.
Now, my question is this. What is the easiest method to filter user input?
in_array();
!in_array();
someotherfunctionidontknowabout();
Posted: Mon Jul 03, 2006 10:59 am
by jmut
Posted: Mon Jul 03, 2006 11:39 am
by Bigun
Is that link having issues loading with anyone else?
Posted: Mon Jul 03, 2006 12:19 pm
by jmut
me

Posted: Mon Jul 03, 2006 12:50 pm
by Bigun
Working now..

Posted: Mon Jul 03, 2006 12:55 pm
by Christopher
I find there are two schools of thought on this:
1. Validate input first, error if there are problems, and then filter as necessary. Filtering is simplified.
2. Filter input first, then validate and error if there are problems. Validation is simplified.
Posted: Mon Jul 03, 2006 1:20 pm
by basdog22
another way is to use a class like XML_HTMLSax. Check on PEAR's site for it.