Can you check my code - need your expert help

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

matthijs
DevNet Master
Posts: 3360
Joined: Thu Oct 06, 2005 3:57 pm

Post by matthijs »

newbie2php, you made a good point about the issue of filtering versus validating. It's good to realize the differences and when to apply which.

Hockey suggested to filter the data (stripping unwanted characters immediately), but as you said, that can be confusing or lead to problems when a user doesn't expect that to happen. In other words, he enters his password "bert*%$", you strip the *%$ and as a consequence his pass is suddenly "bert". I would only apply filtering to certain stuff, like the spaces or brackets in a telephone number for example.
Post Reply