[nycphp-talk] User Input Data scrubbing
shiflett at php.net
Fri Nov 28 20:00:45 EST 2008
On Nov 28, 2008, at 16:59, Michele Waldman wrote:
> What about inserting a comment
> <script>alert(‘hi’);</script>’; delete from users;
> Like I’m going to name my table users?
> With that one statement about they have performed a sql injection
> and html injection in one stroke.
> Bada bing bada bang bada boom
> Next time I display their comment out of the database they are
> popping up an alert to every user and my users are gone.
Two words: escape output
More information about the talk