Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.
I would create a validation class that validates common post variables. You can then use the same class for everything, ie the signup form, lost password form, login form, etc.. This gives you several layers of protection.
astions wrote:I would create a validation class that validates common post variables. You can then use the same class for everything, ie the signup form, lost password form, login form, etc.. This gives you several layers of protection.
hey all,
I think there is some misunderstanding here as to what escaping and validation really is.
ESCAPING is to prepare a given content to work/present itself adequately in given context (db,html whatever).
ESCAPING(preparing WHATEVER data to be savely introduced to given context) has absolutely nothing todo with validation(data we would consider harmuful to our application at some point).
so when you want to store/select data in DB for example, you just need to escape it (only realiable way is either using mysql_real_escape_string() or prepared queries)...otherwise you fail to ensure your data will wholly/unchanged go into a database and you may experience failed/injected sql query.
Another example(for other context) is using htmlentities to properly introduce whatever data to html context.
No whether this data is valid for your application....it is up to you to decide...whethear or not so...you escape data to fit correctly into its new context.