Page 2 of 2

Posted: Sat Mar 03, 2007 8:26 am
by matthijs
Discussions like these are often more about terminology then about the underlying principles. I think that anyone who has programmed some more agrees that you should do something with the data coming into your app, and something when data leaves your app. I prefer the terms input filtering/validation and output escaping.

Data from outside -> filter/validate -> Business logic -> escape -> HTML, DB, etc

So filtering/validating is making sure only good data comes into your app. If you want a numeric value for something, you don't want any other character. So you filter/validate with ctype_digit/is_numeric or something similar.

Escaping happens every time some data leaves your app. Wheter it is output to HTML or a db or something else. Depending on where the data goes to you use a specific escaping mechanism.

Posted: Mon Mar 05, 2007 7:24 am
by infolock
Exactly. stripslashes, addslashes, regular expressions, and any other form of validation and data-validation functions are abosolutely needed. Couldn't have said it better myself matthijs