[nycphp-talk] Not-so-subtle attack on PHP

John Campbell jcampbell1 at
Wed Sep 26 22:46:43 EDT 2007

> My personal favorite:
> public function esc( $value ) {
>   return mysql_real_escape_string( $value, $this->db );
> }

If that is your personal favorite, you are justifying the the article.
All you have to do is forget to use single quotes once and your site
is vulnerable.  Step up and start using prepared queries.

On a similar subject:
If your solution is to "validate input" or "input filtering", you are
going about things all wrong.  Validating input is for the birds;
prepared sql and output escaping is the way to go.  I don't give a
shit if my user's use names like "<a href='javascript:blahblah'>" ,
just like my web email client doesn't filter it from this post.  I
default to escaping the html automatically when I send it to the view,
and all queries are prepared.  It makes coding much easier, and I
don't have to worry about forgetting to call esc() once.

When coders hear "don't trust user input" it foolishly gets translated
to "validate the user's input" and that is one of the primary problems
with php coders today.  I trust all user input and just escape it for
the db and display.  I occasionally validate the input, but that is
just to make sure the user didn't make a typo.

-John Campbell

More information about the talk mailing list