NYCPHP Meetup

[Chris Shiflett]

Stephen Musgrave wrote:
 > Given Tuesday's presentation by Chris Shiflett (thanks, Chris!)

Thanks - I hope it was helpful. :-)

 > I have been thinking more about security and am wondering if
 > there are any classes out there that people are using that
 > the trust and can recommend? Any comments about PHP Input
 > Filter?

I'm the one that linked to it from the PHPSC Library, but I don't use 
it. It has a strong reputation, and I like the general approach - as a 
developer, you get to choose exactly what behavior you want.

I always write my own filtering logic, and I use the conventions that I 
described in the talk (simple naming convention, variable 
initialization, etc.).

csnyder wrote:
 > The blacklist in PHP Input Filter doesn't include the style
 > attribute, which can be used in a whole class of XSS attacks
 > that involve obscuring a page's real content with content of
 > an attacker's choosing.

You might be confusing this with something else. You get to specify 
exactly what your blacklist (or whitelist) of tags and attributes is.

Hope that helps.

Chris

-- 
Chris Shiflett
Brain Bulb, The PHP Consultancy
http://brainbulb.com/