[nycphp-talk] Injection Attack, any ideas?
David Krings
ramons at gmx.net
Sat Nov 17 07:58:13 EST 2007
Daniel Convissor wrote:
> Hi Rob:
>
> On Mon, Nov 12, 2007 at 04:26:54PM -0500, Rob Marscher wrote:
>> But it's expensive to escape it every time someone views the page.
>> Therefore, it's recommended to filter it on input but store the
>> filtered version
>
> This approach is flawed because disgruntled people who have server side
> access to the database can insert HTML. Escaping HTML upon page
> generation is the safest way to go.
>
> --Dan
Exactly! All input is evil, even when it comes from your database and your
script. There is no good reason not to check input each and every time, there
are only bad excuses for not doing it.
David
More information about the talk
mailing list