[nycphp-talk] Injection Attack, any ideas?
Daniel Convissor
danielc at analysisandsolutions.com
Sat Nov 17 00:42:57 EST 2007
Hi Rob:
On Mon, Nov 12, 2007 at 04:26:54PM -0500, Rob Marscher wrote:
>
> But it's expensive to escape it every time someone views the page.
> Therefore, it's recommended to filter it on input but store the
> filtered version
This approach is flawed because disgruntled people who have server side
access to the database can insert HTML. Escaping HTML upon page
generation is the safest way to go.
--Dan
--
T H E A N A L Y S I S A N D S O L U T I O N S C O M P A N Y
data intensive web and database programming
http://www.AnalysisAndSolutions.com/
4015 7th Ave #4, Brooklyn NY 11232 v: 718-854-0335 f: 718-854-0409
More information about the talk
mailing list